CVE-2024-24549
Denial of Service vulnerability in org.apache.tomcat:tomcat-coyote

What is CVE-2024-24549 About?

This vulnerability is a Denial of Service (DoS) in Apache Tomcat affecting multiple versions (11.0.0-M1 through 11.0.0-M16, 10.1.0-M1 through 10.1.18, 9.0.0-M1 through 9.0.85, and 8.5.0 through 8.5.98). It allows an attacker to cause resource exhaustion and potential server unavailability via crafted HTTP/2 requests exceeding configured header limits. Exploitation is relatively easy with specialized HTTP/2 requests.

Affected Software

Technical Details

The Denial of Service vulnerability in Apache Tomcat for HTTP/2 requests arises because the server does not immediately reset an HTTP/2 stream when the request headers exceed configured limits. Instead, Tomcat continues to process all incoming headers, even after determining that the limits have been breached. This prolonged processing of an oversized or excessively numerous set of headers, without promptly closing the problematic stream, can lead to significant resource consumption (CPU, memory) on the server. An attacker can repeatedly send such malformed HTTP/2 requests, keeping multiple streams open and consuming resources, eventually overwhelming the server and leading to a Denial of Service. The issue is an improper input validation within the HTTP/2 protocol implementation.

What is the Impact of CVE-2024-24549?

Successful exploitation may allow attackers to consume excessive server resources, leading to performance degradation, system instability, or a complete Denial of Service for the Apache Tomcat server.

What is the Exploitability of CVE-2024-24549?

Exploitation involves sending specifically crafted HTTP/2 requests with headers that exceed the server's configured limits. The complexity is moderate, requiring knowledge of HTTP/2 protocol specifics and how to manipulate header sizes or counts. No authentication or specific privileges are required, making this an unauthenticated remote vulnerability. An attacker can directly send these requests to the exposed Apache Tomcat server. The primary prerequisite is that the Tomcat server is configured to handle HTTP/2. The risk factors include publicly accessible Tomcat instances and default configurations with standard header limits that can easily be exceeded by malicious requests.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2024-24549?

About the Fix from Resolved Security

Available Upgrade Options

• org.apache.tomcat.embed:tomcat-embed-core
  • >8.5.0, <8.5.99 → Upgrade to 8.5.99
• org.apache.tomcat.embed:tomcat-embed-core
  • >9.0.0-M1, <9.0.86 → Upgrade to 9.0.86
• org.apache.tomcat.embed:tomcat-embed-core
  • >10.1.0-M1, <10.1.19 → Upgrade to 10.1.19
• org.apache.tomcat.embed:tomcat-embed-core
  • >11.0.0-M1, <11.0.0-M17 → Upgrade to 11.0.0-M17
• org.apache.tomcat:tomcat-coyote
  • >8.5.0, <8.5.99 → Upgrade to 8.5.99
• org.apache.tomcat:tomcat-coyote
  • >9.0.0-M1, <9.0.86 → Upgrade to 9.0.86
• org.apache.tomcat:tomcat-coyote
  • >10.1.0-M1, <10.1.19 → Upgrade to 10.1.19
• org.apache.tomcat:tomcat-coyote
  • >11.0.0-M1, <11.0.0-M17 → Upgrade to 11.0.0-M17

Additional Resources

• https://github.com/apache/tomcat
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
• https://security.netapp.com/advisory/ntap-20240402-0002/
• https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843
• https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96
• https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
• https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
• http://www.openwall.com/lists/oss-security/2024/03/13/3
• https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5
• https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0

What are Similar Vulnerabilities to CVE-2024-24549?

Similar Vulnerabilities: CVE-2023-45648 , CVE-2022-45143 , CVE-2021-43980 , CVE-2020-1938 , CVE-2019-0232