Apache advisory addresses incomplete Tomcat update

News by Robert Abel

The issue was caused by an incomplete fix for the CVE-2019-019 vulnerability that did not address the window exhaustion on write

Apache released a security advisory for Apache Tomcat to address a vulnerability, CVE-2019-10072, which could allow an attacker to cause a denial-of-service condition.

The issue was caused by an incomplete fix for the CVE-2019-019 vulnerability that did not address the  window exhaustion on write.

"By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS," said the security advisory on 20 June.

The vulnerability has a severity rating of "Important" and affects Apache Tomcat 9.0.0.M1 to 9.0.19 and Apache Tomcat 8.5.0 to 8.5.40.

To mitigate the attack those affected should upgrade to Apache Tomcat 9.0.20 or later, or upgrade to Apache Tomcat 8.5.41 or later.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop