CVE-2024-34750
Improper Handling of Exceptional Conditions vulnerability in tomcat-embed-core (Maven)
What is CVE-2024-34750 About?
Apache Tomcat suffers from an uncontrolled resource consumption vulnerability in its HTTP/2 stream processing. Incorrect handling of excessive HTTP headers leads to miscounting active streams and using an infinite timeout, keeping connections open indefinitely. This results in a denial-of-service. Exploitation is moderately complex, requiring an attacker to send specific HTTP/2 requests.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.0-M21
- >9.0.0-M1, <9.0.90
- >8.5.0, <=8.5.100
- >10.1.0-M1, <10.1.25
- org.apache.tomcat:tomcat-coyote
- >11.0.0-M1, <11.0.0-M21
- >9.0.0-M1, <9.0.90
- >8.5.0, <=8.5.100
- >10.1.0-M1, <10.1.25
Technical Details
The vulnerability occurs in Apache Tomcat's HTTP/2 implementation. When processing HTTP/2 streams, Tomcat does not correctly handle scenarios involving excessive HTTP headers. This miscalculation leads to an incorrect count of active HTTP/2 streams. Due to this miscount, the system applies an infinite timeout to connections that should have been closed. Consequently, connections remain open indefinitely, consuming server resources (memory, file descriptors, etc.). An attacker can continuously establish such connections, eventually exhausting available resources and leading to a denial-of-service condition, making Tomcat unable to accept new legitimate connections or process requests.
What is the Impact of CVE-2024-34750?
Successful exploitation may allow attackers to cause an uncontrolled resource consumption, leading to a denial-of-service that renders the Apache Tomcat server unresponsive and unavailable.
What is the Exploitability of CVE-2024-34750?
Exploitation of this vulnerability is of moderate complexity. An attacker would need to craft specific HTTP/2 requests containing excessive or unusual headers to trigger the miscounting logic. No authentication is typically required if the HTTP/2 endpoint is exposed to the internet. There are no special privilege requirements beyond making network requests. This is a remote attack vector. The primary risk factor is the deployment of vulnerable Apache Tomcat versions with HTTP/2 enabled, especially if exposed directly to untrusted networks. The attack can be repeated to maintain resource exhaustion, making it an effective denial-of-service vector.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-34750?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0-M1, <9.0.90 → Upgrade to 9.0.90
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.25 → Upgrade to 10.1.25
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.0-M21 → Upgrade to 11.0.0-M21
- org.apache.tomcat:tomcat-coyote
- >9.0.0-M1, <9.0.90 → Upgrade to 9.0.90
- org.apache.tomcat:tomcat-coyote
- >10.1.0-M1, <10.1.25 → Upgrade to 10.1.25
- org.apache.tomcat:tomcat-coyote
- >11.0.0-M1, <11.0.0-M21 → Upgrade to 11.0.0-M21
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://tomcat.apache.org/security-9.html
- https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f
- https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
- https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2
- https://security.netapp.com/advisory/ntap-20240816-0004/
- https://nvd.nist.gov/vuln/detail/CVE-2024-34750
- https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3
- https://tomcat.apache.org/security-11.html
- https://osv.dev/vulnerability/GHSA-wm9w-rjj3-j356
What are Similar Vulnerabilities to CVE-2024-34750?
Similar Vulnerabilities: CVE-2022-42289 , CVE-2022-22979 , CVE-2021-42340 , CVE-2020-1938 , CVE-2023-45648
