Mageia 9: 2024-0090 Critical: Apache Tomcat DoS for WebSocket Clients
mageia
March 26, 2024
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat
Summary
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat.
It was possible for WebSocket clients to keep WebSocket connections open
leading to increased resource consumption. (CVE-2024-23672)
Denial of Service due to improper input validation vulnerability for
HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if
the request exceeded any of the configured limits for headers, the
associated HTTP/2 stream was not reset until after all of the headers
had been processed. (CVE-2024-24549)
References
- https://bugs.mageia.org/show_bug.cgi?id=32980
- https://www.openwall.com/lists/oss-security/2024/03/13/3
- https://www.openwall.com/lists/oss-security/2024/03/13/4
- https://www.cve.org/CVERecord?id=CVE-2024-23672
- https://www.cve.org/CVERecord?id=CVE-2024-24549
Resolution
SRPMS
- 9/core/tomcat-9.0.87-1.mga9
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 26 Mar 2024
URL: https://advisories.mageia.org/MGASA-2024-0090.html
Type: security
CVE: CVE-2024-23672,
CVE-2024-24549
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!