csaf_redhat - rhsa-2024

rhsa-2024_3308

Vulnerability from csaf_redhat

Published

2024-05-23 06:18

Modified

2024-11-06 05:57

Summary

Red Hat Security Advisory: tomcat security and bug fix update

Notes

Topic

An update for tomcat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): * Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549) * Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672) Bug Fix(es) and Enhancement(s): * Rebase tomcat to version 9.0.87 (JIRA:RHEL-34814)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for tomcat is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)\n\n* Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)\n\nBug Fix(es) and Enhancement(s):\n\n* Rebase tomcat to version 9.0.87 (JIRA:RHEL-34814)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:3308",
        "url": "https://access.redhat.com/errata/RHSA-2024:3308"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2269607",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269607"
      },
      {
        "category": "external",
        "summary": "2269608",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269608"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3308.json"
      }
    ],
    "title": "Red Hat Security Advisory: tomcat security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-06T05:57:18+00:00",
      "generator": {
        "date": "2024-11-06T05:57:18+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2024:3308",
      "initial_release_date": "2024-05-23T06:18:36+00:00",
      "revision_history": [
        {
          "date": "2024-05-23T06:18:36+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-05-23T06:18:37+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T05:57:18+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream EUS (v.9.2)",
                  "product_id": "AppStream-9.2.0.Z.EUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_eus:9.2::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat-1:9.0.87-1.el9_2.1.src",
                "product": {
                  "name": "tomcat-1:9.0.87-1.el9_2.1.src",
                  "product_id": "tomcat-1:9.0.87-1.el9_2.1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat@9.0.87-1.el9_2.1?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-admin-webapps@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-docs-webapp@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-el-3.0-api@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-jsp-2.3-api@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-lib@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-servlet-4.0-api@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-webapps-1:9.0.87-1.el9_2.1.noarch",
                "product": {
                  "name": "tomcat-webapps-1:9.0.87-1.el9_2.1.noarch",
                  "product_id": "tomcat-webapps-1:9.0.87-1.el9_2.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-webapps@9.0.87-1.el9_2.1?arch=noarch\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-1:9.0.87-1.el9_2.1.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src"
        },
        "product_reference": "tomcat-1:9.0.87-1.el9_2.1.src",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-lib-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-webapps-1:9.0.87-1.el9_2.1.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.2)",
          "product_id": "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
        },
        "product_reference": "tomcat-webapps-1:9.0.87-1.el9_2.1.noarch",
        "relates_to_product_reference": "AppStream-9.2.0.Z.EUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-23672",
      "cwe": {
        "id": "CWE-459",
        "name": "Incomplete Cleanup"
      },
      "discovery_date": "2024-03-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2269608"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service (DoS) vulnerability present in the Apache Tomcat package arises from an incomplete cleanup process. Specifically, WebSocket clients can perpetuate WebSocket connections without proper termination, thereby causing a sustained drain on system resources. This vulnerability facilitates the exploitation of Apache Tomcat servers, leading to a scenario where excessive resource consumption occurs due to the prolonged existence of these open WebSocket connections. As a consequence, the server\u0027s performance may degrade significantly, resulting in potential service disruption or unresponsiveness.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat: WebSocket DoS with incomplete closing handshake",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Denial of Service (DoS) vulnerability within the Apache Tomcat package represents an Important severity issue due to its potential to significantly impact system availability and performance. By allowing WebSocket clients to maintain open connections without proper cleanup, the vulnerability facilitates the sustained consumption of server resources. This exploitation results in increased CPU, memory, and network utilization, ultimately leading to server degradation or unresponsiveness. The inability to terminate these lingering connections efficiently exacerbates the severity of the issue, as it enables attackers to exploit limited resources over an extended period, amplifying the impact of the attack.\n\nRed Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there are no entry point for WebSockets, and thus it is not possible to trigger the flaw in a supported setup.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
          "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-23672"
        },
        {
          "category": "external",
          "summary": "RHBZ#2269608",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269608"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-23672",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-23672",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23672"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f",
          "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"
        }
      ],
      "release_date": "2024-03-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-05-23T06:18:36+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
            "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:3308"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
            "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
            "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Tomcat: WebSocket DoS with incomplete closing handshake"
    },
    {
      "cve": "CVE-2024-24549",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-03-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2269607"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn\u0027t reset immediately. Instead, the reset action occurs only after all the headers within the request have been processed. This lapse in resetting the stream exposes the system to potential risks, as it allows malicious actors to exploit the delay in stream reset to carry out various attacks, such as header manipulation or resource exhaustion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat: HTTP/2 header handling DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability presents an Important severity issue due to its potential to facilitate various forms of attack, particularly in the context of HTTP/2 protocol. By delaying the reset of HTTP/2 streams until after processing all headers, malicious actors can exploit this window to execute header manipulation attacks, leading to potential data exfiltration, injection of malicious content, or server resource exhaustion. Furthermore, the delayed reset prolongs the exposure time of vulnerable systems, increasing the likelihood of successful exploitation.\n\nIn addition, Red Hat Certificate System 10.0 and Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat that is bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. See https://access.redhat.com/security/cve/CVE-2020-13934  for context.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
          "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
          "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-24549"
        },
        {
          "category": "external",
          "summary": "RHBZ#2269607",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269607"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-24549",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24549",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24549"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg",
          "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
        }
      ],
      "release_date": "2024-03-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-05-23T06:18:36+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
            "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:3308"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
            "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-1:9.0.87-1.el9_2.1.src",
            "AppStream-9.2.0.Z.EUS:tomcat-admin-webapps-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-docs-webapp-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-el-3.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-lib-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.1.noarch",
            "AppStream-9.2.0.Z.EUS:tomcat-webapps-1:9.0.87-1.el9_2.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Tomcat: HTTP/2 header handling DoS"
    }
  ]
}

cve-2024-24549

Vulnerability from cvelistv5

Published

2024-03-13 15:46

Modified

2024-11-04 21:26

Severity ?

Summary

Apache Tomcat: HTTP/2 header handling DoS

References

▼	URL	Tags
	https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240402-0002/
	https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
	http://www.openwall.com/lists/oss-security/2024/03/13/3
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache Tomcat

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-24549",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-15T15:00:56.854044Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T21:26:52.708Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:19:52.712Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.0-M16",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.18",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.85",
              "status": "affected",
              "version": "9.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.98",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartek Nowotarski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-13T15:46:53.085Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/13/3"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: HTTP/2 header handling DoS",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-24549",
    "datePublished": "2024-03-13T15:46:53.085Z",
    "dateReserved": "2024-01-25T12:05:42.034Z",
    "dateUpdated": "2024-11-04T21:26:52.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-23672

Vulnerability from cvelistv5

Published

2024-03-13 15:48

Modified

2024-11-18 21:35

Severity ?

Summary

Apache Tomcat: WebSocket DoS with incomplete closing handshake

References

▼	URL	Tags
	https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240402-0002/
	https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
	http://www.openwall.com/lists/oss-security/2024/03/13/4
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache Tomcat

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-23672",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-13T18:10:26.291000Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-18T21:35:31.746Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:06:25.345Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.0-M16",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.18",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.85",
              "status": "affected",
              "version": "9.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.98",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459 Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-13T15:48:42.610Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Apache Tomcat: WebSocket DoS with incomplete closing handshake",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-23672",
    "datePublished": "2024-03-13T15:48:42.610Z",
    "dateReserved": "2024-01-19T11:44:18.348Z",
    "dateUpdated": "2024-11-18T21:35:31.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2024_3308

Vulnerability from csaf_redhat

cve-2024-24549

Vulnerability from cvelistv5

cve-2024-23672

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature