CVE-2024-23672
Denial of Service vulnerability in tomcat-websocket (Maven)

Denial of Service No known exploit

What is CVE-2024-23672 About?

This vulnerability in Apache Tomcat allows WebSocket clients to maintain open connections indefinitely, leading to resource exhaustion and a denial of service. Attackers can easily exploit this by preventing proper cleanup of WebSocket connections. The impact is degradation or unavailability of the Tomcat server.

Affected Software

  • org.apache.tomcat:tomcat-websocket
    • >11.0.0-M1, <11.0.0-M17
    • >9.0.0-M1, <9.0.86
    • >8.5.0, <8.5.99
    • >10.1.0-M1, <10.1.19
  • org.apache.tomcat.embed:tomcat-embed-websocket
    • >11.0.0-M1, <11.0.0-M17
    • >9.0.0-M1, <9.0.86
    • >8.5.0, <8.5.99
    • >10.1.0-M1, <10.1.19

Technical Details

The vulnerability in Apache Tomcat (versions 11.0.0-M1 through 11.0.0-M16, 10.1.0-M1 through 10.1.18, 9.0.0-M1 through 9.0.85, and 8.5.0 through 8.5.98) is due to an incomplete cleanup mechanism for WebSocket connections. Malicious WebSocket clients can exploit this by intentionally keeping WebSocket connections open without proper closure or by exploiting defects in how Tomcat handles these connections. This behavior prevents Tomcat from releasing the resources (e.g., memory, threads) associated with these connections. Over time, as more such connections accumulate, the server experiences resource exhaustion, leading to performance degradation or a complete denial of service. The attack vector involves establishing and then not properly terminating WebSocket connections.

What is the Impact of CVE-2024-23672?

Successful exploitation may allow attackers to exhaust server resources, causing a denial of service and making the Apache Tomcat server and hosted applications unavailable to legitimate users.

What is the Exploitability of CVE-2024-23672?

Exploitation of this vulnerability is of low complexity. An attacker only needs to be able to establish and maintain WebSocket connections with a vulnerable Apache Tomcat server. No authentication is strictly required if the WebSocket endpoint is publicly accessible. If the WebSocket requires authentication, then an authenticated attacker could perform the attack. Privilege requirements are minimal, only network access to the server's WebSocket port. This is a remote exploitation scenario. The special condition is that the server is running an affected version of Apache Tomcat and has a WebSocket endpoint exposed. The likelihood of exploitation is increased if the application widely uses WebSockets and lacks robust connection management or resource limits for WebSocket sessions.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-23672?

Available Upgrade Options

  • org.apache.tomcat.embed:tomcat-embed-websocket
    • >8.5.0, <8.5.99 → Upgrade to 8.5.99
  • org.apache.tomcat.embed:tomcat-embed-websocket
    • >9.0.0-M1, <9.0.86 → Upgrade to 9.0.86
  • org.apache.tomcat.embed:tomcat-embed-websocket
    • >10.1.0-M1, <10.1.19 → Upgrade to 10.1.19
  • org.apache.tomcat.embed:tomcat-embed-websocket
    • >11.0.0-M1, <11.0.0-M17 → Upgrade to 11.0.0-M17
  • org.apache.tomcat:tomcat-websocket
    • >8.5.0, <8.5.99 → Upgrade to 8.5.99
  • org.apache.tomcat:tomcat-websocket
    • >9.0.0-M1, <9.0.86 → Upgrade to 9.0.86
  • org.apache.tomcat:tomcat-websocket
    • >10.1.0-M1, <10.1.19 → Upgrade to 10.1.19
  • org.apache.tomcat:tomcat-websocket
    • >11.0.0-M1, <11.0.0-M17 → Upgrade to 11.0.0-M17

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-23672?

Similar Vulnerabilities: CVE-2023-2895 , CVE-2022-45143 , CVE-2021-39239 , CVE-2020-13935 , CVE-2018-8037

All Rights reserved 2025
Privacy Policy