CVE-2019-0199
Last modified
CVE-2019-0199 is a vulnerability of currently unknown severity. The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.. EPSS estimates a 72.86% chance of exploitation in the next 30 days.
Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Apache | Tomcat | >= 8.5.0, <= 8.5.37 | — |
| Apache | Tomcat | >= 9.0.1, <= 9.0.14 | — |
| Apache | Tomcat | 9.0.0 | Milestone1 |
References
- https://security.netapp.com/advisory/ntap-20190419-0001/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190419-0001/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-0199?
How severe is CVE-2019-0199?
How do I fix CVE-2019-0199?
Are you affected by CVE-2019-0199?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST