https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Bug ID: 1723708 Summary: CVE-2019-10072 tomcat: denial of service on vulnerable installation Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190621,reported=20190625,sour ce=internet,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U /C:N/I:N/A:L,cwe=CWE-400,bpms-6/tomcat=new,brms-6/tomc at=new,epel-all/tomcat=affected,fedora-all/tomcat=affe cted,fuse-6/tomcat=affected,fuse-7/tomcat=affected,jdg -7/tomcat=affected,jws-5/tomcat=affected,rhel-7/tomcat =new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, alee@redhat.com, almorale@redhat.com, anstephe@redhat.com, chazlett@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, drieden@redhat.com, etirelli@redhat.com, gzaronik@redhat.com, ibek@redhat.com, ivan.afonichev@gmail.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jclere@redhat.com, jochrist@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, lgao@redhat.com, lpetrovi@redhat.com, mbabacek@redhat.com, mnovotny@redhat.com, myarboro@redhat.com, paradhya@redhat.com, rrajasek@redhat.com, rsynek@redhat.com, sdaley@redhat.com, twalsh@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
Apache Tomcat is vulnerable to a denial of service, caused by HTTP/2 connection window exhaustion on write. By failing to send WINDOW_UPDATE messages, a remote attacker could exploit this vulnerability to block threads on the server and cause a denial of service.
Reference: http://mail-archives.us.apache.org/mod_mbox/www-announce/201906.mbox/%3Cca69...
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1723709 Fixed In Version| |Apache Tomcat 9.0.20, | |Apache Tomcat 8.5.41
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1723711
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: epel-all [bug 1723711]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1723711 [Bug 1723711] CVE-2019-10072 tomcat: denial of service on vulnerable installation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1723712
--- Comment #2 from Dhananjay Arunesh darunesh@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: fedora-all [bug 1723712]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1723712 [Bug 1723712] CVE-2019-10072 tomcat: denial of service on vulnerable installation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-10072 tomcat: |CVE-2019-10072 tomcat: |denial of service on |incomplete fix of |vulnerable installation |CVE-2019-0199 leads to | |denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-10072 tomcat: |CVE-2019-10072 tomcat: |incomplete fix of |HTTP/2 connection window |CVE-2019-0199 leads to |exhaustion on write, |denial of service |incomplete fix of | |CVE-2019-0199
--- Comment #3 from Tomas Hoger thoger@redhat.com --- External References:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-10072 tomcat: |CVE-2019-10072 tomcat: |HTTP/2 connection window |HTTP/2 implementation leads |exhaustion on write, |to denial of service |incomplete fix of | |CVE-2019-0199 |
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0621,reported=20190625,sour |0621,reported=20190625,sour |ce=internet,cvss3=5.3/CVSS: |ce=internet,cvss3=5.3/CVSS: |3.0/AV:N/AC:L/PR:N/UI:N/S:U |3.0/AV:N/AC:L/PR:N/UI:N/S:U |/C:N/I:N/A:L,cwe=CWE-400,bp |/C:N/I:N/A:L,cwe=CWE-400,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,epel-all/tomcat=affe |at=new,epel-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fuse-6/tomcat=affected |cted,fuse-6/tomcat=affected |,fuse-7/tomcat=affected,jdg |,fuse-7/tomcat=affected,jdg |-7/tomcat=affected,jws-5/to |-7/tomcat=affected,jws-5/to |mcat=affected,rhel-7/tomcat |mcat=affected,openshift-onl |=new |ine-3/tomcat=new
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2019-10072 tomcat: |CVE-2019-10072 tomcat: |HTTP/2 implementation leads |HTTP/2 connection window |to denial of service |exhaustion on write, | |incomplete fix of | |CVE-2019-0199
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rhcs-maint@redhat.com Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0621,reported=20190625,sour |0621,reported=20190625,sour |ce=internet,cvss3=5.3/CVSS: |ce=internet,cvss3=5.3/CVSS: |3.0/AV:N/AC:L/PR:N/UI:N/S:U |3.0/AV:N/AC:L/PR:N/UI:N/S:U |/C:N/I:N/A:L,cwe=CWE-400,bp |/C:N/I:N/A:L,cwe=CWE-400,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,epel-all/tomcat=affe |at=new,epel-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fuse-6/tomcat=affected |cted,fuse-6/tomcat=affected |,fuse-7/tomcat=affected,jdg |,fuse-7/tomcat=affected,jdg |-7/tomcat=affected,jws-5/to |-7/tomcat=affected,jws-5/to |mcat=affected,openshift-onl |mcat=affected,openshift-onl |ine-3/tomcat=new |ine-3/tomcat=new,rhel-7/tom | |cat=notaffected,rhel-6/tomc | |at=notaffected,rhel-8/pki-d | |eps:10.6/pki-servlet-contai | |ner=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
--- Comment #6 from Doran Moppert dmoppert@redhat.com --- Mitigation:
pki-servlet-container does not use HTTP/2 in its default configuration.
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0621,reported=20190625,sour |0621,reported=20190625,sour |ce=internet,cvss3=5.3/CVSS: |ce=internet,cvss3=5.3/CVSS: |3.0/AV:N/AC:L/PR:N/UI:N/S:U |3.0/AV:N/AC:L/PR:N/UI:N/S:U |/C:N/I:N/A:L,cwe=CWE-400,bp |/C:N/I:N/A:L,cwe=CWE-400,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,epel-all/tomcat=affe |at=new,epel-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fuse-6/tomcat=affected |cted,fuse-6/tomcat=notaffec |,fuse-7/tomcat=affected,jdg |ted,fuse-7/tomcat=notaffect |-7/tomcat=affected,jws-5/to |ed,jdg-7/tomcat=affected,jw |mcat=affected,openshift-onl |s-5/tomcat=affected,openshi |ine-3/tomcat=new,rhel-7/tom |ft-online-3/tomcat=new,rhel |cat=notaffected,rhel-6/tomc |-7/tomcat=notaffected,rhel- |at=notaffected,rhel-8/pki-d |6/tomcat=notaffected,rhel-8 |eps:10.6/pki-servlet-contai |/pki-deps:10.6/pki-servlet- |ner=wontfix |container=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0621,reported=20190625,sour |0621,reported=20190625,sour |ce=internet,cvss3=5.3/CVSS: |ce=internet,cvss3=5.3/CVSS: |3.0/AV:N/AC:L/PR:N/UI:N/S:U |3.0/AV:N/AC:L/PR:N/UI:N/S:U |/C:N/I:N/A:L,cwe=CWE-400,bp |/C:N/I:N/A:L,cwe=CWE-400,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,epel-all/tomcat=affe |at=new,epel-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fuse-6/tomcat=notaffec |cted,fuse-6/tomcat=notaffec |ted,fuse-7/tomcat=notaffect |ted,fuse-7/tomcat=notaffect |ed,jdg-7/tomcat=affected,jw |ed,jdg-7/tomcat=new,jws-5/t |s-5/tomcat=affected,openshi |omcat=affected,openshift-on |ft-online-3/tomcat=new,rhel |line-3/tomcat=new,rhel-7/to |-7/tomcat=notaffected,rhel- |mcat=notaffected,rhel-6/tom |6/tomcat=notaffected,rhel-8 |cat=notaffected,rhel-8/pki- |/pki-deps:10.6/pki-servlet- |deps:10.6/pki-servlet-conta |container=wontfix |iner=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0621,reported=20190625,sour |0621,reported=20190625,sour |ce=internet,cvss3=5.3/CVSS: |ce=internet,cvss3=5.3/CVSS: |3.0/AV:N/AC:L/PR:N/UI:N/S:U |3.0/AV:N/AC:L/PR:N/UI:N/S:U |/C:N/I:N/A:L,cwe=CWE-400,bp |/C:N/I:N/A:L,cwe=CWE-400,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,epel-all/tomcat=affe |at=new,epel-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fuse-6/tomcat=notaffec |cted,fuse-6/tomcat=notaffec |ted,fuse-7/tomcat=notaffect |ted,fuse-7/tomcat=notaffect |ed,jdg-7/tomcat=new,jws-5/t |ed,jdg-7/tomcat=notaffected |omcat=affected,openshift-on |,jws-5/tomcat=affected,open |line-3/tomcat=new,rhel-7/to |shift-online-3/tomcat=new,r |mcat=notaffected,rhel-6/tom |hel-7/tomcat=notaffected,rh |cat=notaffected,rhel-8/pki- |el-6/tomcat=notaffected,rhe |deps:10.6/pki-servlet-conta |l-8/pki-deps:10.6/pki-servl |iner=wontfix |et-container=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0621,reported=20190625,sour |0621,reported=20190625,sour |ce=internet,cvss3=5.3/CVSS: |ce=internet,cvss3=5.3/CVSS: |3.0/AV:N/AC:L/PR:N/UI:N/S:U |3.0/AV:N/AC:L/PR:N/UI:N/S:U |/C:N/I:N/A:L,cwe=CWE-400,bp |/C:N/I:N/A:L,cwe=CWE-400,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,epel-all/tomcat=affe |at=new,epel-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fedora-all/tomcat=affe |cted,fuse-6/tomcat=notaffec |cted,fuse-6/tomcat=notaffec |ted,fuse-7/tomcat=notaffect |ted,fuse-7/tomcat=notaffect |ed,jdg-7/tomcat=notaffected |ed,jdg-7/tomcat=notaffected |,jws-5/tomcat=affected,open |,jws-5/tomcat=affected,open |shift-online-3/tomcat=new,r |shift-online-3/tomcat=notaf |hel-7/tomcat=notaffected,rh |fected,rhel-7/tomcat=notaff |el-6/tomcat=notaffected,rhe |ected,rhel-6/tomcat=notaffe |l-8/pki-deps:10.6/pki-servl |cted,rhel-8/pki-deps:10.6/p |et-container=wontfix |ki-servlet-container=wontfi | |x
https://bugzilla.redhat.com/show_bug.cgi?id=1723708 Bug 1723708 depends on bug 1723712, which changed state.
Bug 1723712 Summary: CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1723712
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=1723708 Bug 1723708 depends on bug 1723711, which changed state.
Bug 1723711 Summary: CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1723711
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3931
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 5.2 on RHEL 7 Red Hat JBoss Web Server 5.2 on RHEL 6 Red Hat JBoss Web Server 5.2 on RHEL 8
Via RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3929
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-11-20 18:51:30
--- Comment #10 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-10072
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aboyko@redhat.com, | |pdrozd@redhat.com, | |pjindal@redhat.com, | |sthorger@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1723708
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com |
java-sig-commits@lists.fedoraproject.org