https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Bug ID: 1693325 Summary: CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190325,reported=20190326,sou rce=internet,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S: U/C:N/I:N/A:H,cwe=CWE-400,fedora-all/tomcat=affected,r hscl-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat =notaffected,brms-6/tomcat=notaffected,epel-all/tomcat =notaffected,brms-5/jbossweb=notaffected,eap-6/jbosswe b=notaffected,eap-5/jbossweb=notaffected,jdg-6/jbosswe b=notaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb= notaffected,fuse-6/tomcat=notaffected,fuse-7/tomcat=no taffected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=n otaffected,springboot-1/tomcat=notaffected,jbews-2/tom cat6=notaffected,jws-3/tomcat7=notaffected,rhel-7/tomc at=notaffected,jbews-2/tomcat7=notaffected,jws-3/tomca t8=new,rhel-6/tomcat6=notaffected,jon-3/jbossweb=notaf fected,jws-5/tomcat=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, alee@redhat.com, anstephe@redhat.com, apintea@redhat.com, avibelli@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dimitris@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jpallich@redhat.com, jschatte@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, lpetrovi@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mizdebsk@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, pszubiak@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sdaley@redhat.com, spinder@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
References: https://mail-archives.apache.org/mod_mbox/tomcat-announce/201903.mbox/browse... http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-8.html
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1693326
--- Comment #1 from Laura Pardo lpardo@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: fedora-all [bug 1693326]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1693326 [Bug 1693326] CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1692760
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rhcs-maint@redhat.com Whiteboard|impact=important,public=201 |impact=important,public=201 |90325,reported=20190326,sou |90325,reported=20190326,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:N/A:H,cwe=CWE-400,f |U/C:N/I:N/A:H,cwe=CWE-400,f |edora-all/tomcat=affected,r |edora-all/tomcat=affected,r |hscl-3/rh-java-common-tomca |hscl-3/rh-java-common-tomca |t=notaffected,bpms-6/tomcat |t=notaffected,bpms-6/tomcat |=notaffected,brms-6/tomcat= |=notaffected,brms-6/tomcat= |notaffected,epel-all/tomcat |notaffected,epel-all/tomcat |=notaffected,brms-5/jbosswe |=notaffected,brms-5/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-7/tomcat= |b=notaffected,jdg-7/tomcat= |notaffected,jdv-6/jbossweb= |notaffected,jdv-6/jbossweb= |notaffected,fuse-6/tomcat=n |notaffected,fuse-6/tomcat=n |otaffected,fuse-7/tomcat=no |otaffected,fuse-7/tomcat=no |taffected,fsw-6/jbossweb=no |taffected,fsw-6/jbossweb=no |taffected,soap-5/jbossweb=n |taffected,soap-5/jbossweb=n |otaffected,springboot-1/tom |otaffected,springboot-1/tom |cat=notaffected,jbews-2/tom |cat=notaffected,jbews-2/tom |cat6=notaffected,jws-3/tomc |cat6=notaffected,jws-3/tomc |at7=notaffected,rhel-7/tomc |at7=notaffected,rhel-7/tomc |at=notaffected,jbews-2/tomc |at=notaffected,jbews-2/tomc |at7=notaffected,jws-3/tomca |at7=notaffected,jws-3/tomca |t8=new,rhel-6/tomcat6=notaf |t8=new,rhel-6/tomcat6=notaf |fected,jon-3/jbossweb=notaf |fected,jon-3/jbossweb=notaf |fected,jws-5/tomcat=new |fected,jws-5/tomcat=new,rhe | |l-8/pki-servlet-container=a | |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1693508
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90325,reported=20190326,sou |90325,reported=20190326,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:N/A:H,cwe=CWE-400,f |U/C:N/I:N/A:H,cwe=CWE-400,f |edora-all/tomcat=affected,r |edora-all/tomcat=affected,r |hscl-3/rh-java-common-tomca |hscl-3/rh-java-common-tomca |t=notaffected,bpms-6/tomcat |t=notaffected,bpms-6/tomcat |=notaffected,brms-6/tomcat= |=notaffected,brms-6/tomcat= |notaffected,epel-all/tomcat |notaffected,epel-all/tomcat |=notaffected,brms-5/jbosswe |=notaffected,brms-5/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-7/tomcat= |b=notaffected,jdg-7/tomcat= |notaffected,jdv-6/jbossweb= |notaffected,jdv-6/jbossweb= |notaffected,fuse-6/tomcat=n |notaffected,fuse-6/tomcat=n |otaffected,fuse-7/tomcat=no |otaffected,fuse-7/tomcat=no |taffected,fsw-6/jbossweb=no |taffected,fsw-6/jbossweb=no |taffected,soap-5/jbossweb=n |taffected,soap-5/jbossweb=n |otaffected,springboot-1/tom |otaffected,springboot-1/tom |cat=notaffected,jbews-2/tom |cat=notaffected,jbews-2/tom |cat6=notaffected,jws-3/tomc |cat6=notaffected,jws-3/tomc |at7=notaffected,rhel-7/tomc |at7=notaffected,rhel-7/tomc |at=notaffected,jbews-2/tomc |at=notaffected,jbews-2/tomc |at7=notaffected,jws-3/tomca |at7=notaffected,jws-3/tomca |t8=new,rhel-6/tomcat6=notaf |t8=new,rhel-6/tomcat6=notaf |fected,jon-3/jbossweb=notaf |fected,jon-3/jbossweb=notaf |fected,jws-5/tomcat=new,rhe |fected,jws-5/tomcat=new,rhe |l-8/pki-servlet-container=a |l-8/pki-deps:10.6/pki-servl |ffected |et-container=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90325,reported=20190326,sou |90325,reported=20190326,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:N/A:H,cwe=CWE-400,f |U/C:N/I:N/A:H,cwe=CWE-400,f |edora-all/tomcat=affected,r |edora-all/tomcat=affected,r |hscl-3/rh-java-common-tomca |hscl-3/rh-java-common-tomca |t=notaffected,bpms-6/tomcat |t=notaffected,bpms-6/tomcat |=notaffected,brms-6/tomcat= |=notaffected,brms-6/tomcat= |notaffected,epel-all/tomcat |notaffected,epel-all/tomcat |=notaffected,brms-5/jbosswe |=notaffected,brms-5/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-7/tomcat= |b=notaffected,jdg-7/tomcat= |notaffected,jdv-6/jbossweb= |notaffected,jdv-6/jbossweb= |notaffected,fuse-6/tomcat=n |notaffected,fuse-6/tomcat=n |otaffected,fuse-7/tomcat=no |otaffected,fuse-7/tomcat=no |taffected,fsw-6/jbossweb=no |taffected,fsw-6/jbossweb=no |taffected,soap-5/jbossweb=n |taffected,soap-5/jbossweb=n |otaffected,springboot-1/tom |otaffected,springboot-1/tom |cat=notaffected,jbews-2/tom |cat=notaffected,jbews-2/tom |cat6=notaffected,jws-3/tomc |cat6=notaffected,jws-3/tomc |at7=notaffected,rhel-7/tomc |at7=notaffected,rhel-7/tomc |at=notaffected,jbews-2/tomc |at=notaffected,jbews-2/tomc |at7=notaffected,jws-3/tomca |at7=notaffected,jws-3/tomca |t8=new,rhel-6/tomcat6=notaf |t8=new,rhel-6/tomcat6=notaf |fected,jon-3/jbossweb=notaf |fected,jon-3/jbossweb=notaf |fected,jws-5/tomcat=new,rhe |fected,jws-5/tomcat=affecte |l-8/pki-deps:10.6/pki-servl |d,rhel-8/pki-deps:10.6/pki- |et-container=affected |servlet-container=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90325,reported=20190326,sou |90325,reported=20190326,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:N/A:H,cwe=CWE-400,f |U/C:N/I:N/A:H,cwe=CWE-400,f |edora-all/tomcat=affected,r |edora-all/tomcat=affected,r |hscl-3/rh-java-common-tomca |hscl-3/rh-java-common-tomca |t=notaffected,bpms-6/tomcat |t=notaffected,bpms-6/tomcat |=notaffected,brms-6/tomcat= |=notaffected,brms-6/tomcat= |notaffected,epel-all/tomcat |notaffected,epel-all/tomcat |=notaffected,brms-5/jbosswe |=notaffected,brms-5/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-6/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,eap-5/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-6/jbosswe |b=notaffected,jdg-7/tomcat= |b=notaffected,jdg-7/tomcat= |notaffected,jdv-6/jbossweb= |notaffected,jdv-6/jbossweb= |notaffected,fuse-6/tomcat=n |notaffected,fuse-6/tomcat=n |otaffected,fuse-7/tomcat=no |otaffected,fuse-7/tomcat=no |taffected,fsw-6/jbossweb=no |taffected,fsw-6/jbossweb=no |taffected,soap-5/jbossweb=n |taffected,soap-5/jbossweb=n |otaffected,springboot-1/tom |otaffected,springboot-1/tom |cat=notaffected,jbews-2/tom |cat=notaffected,jbews-2/tom |cat6=notaffected,jws-3/tomc |cat6=notaffected,jws-3/tomc |at7=notaffected,rhel-7/tomc |at7=notaffected,rhel-7/tomc |at=notaffected,jbews-2/tomc |at=notaffected,jbews-2/tomc |at7=notaffected,jws-3/tomca |at7=notaffected,jws-3/tomca |t8=new,rhel-6/tomcat6=notaf |t8=notaffected,rhel-6/tomca |fected,jon-3/jbossweb=notaf |t6=notaffected,jon-3/jbossw |fected,jws-5/tomcat=affecte |eb=notaffected,jws-5/tomcat |d,rhel-8/pki-deps:10.6/pki- |=affected,rhel-8/pki-deps:1 |servlet-container=affected |0.6/pki-servlet-container=a | |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1693325 Bug 1693325 depends on bug 1693326, which changed state.
Bug 1693326 Summary: CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1693326
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
--- Comment #4 from Doran Moppert dmoppert@redhat.com --- Statement:
pki-servlet-container does not use HTTP/2 in its default configuration.
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3931
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 5.2 on RHEL 7 Red Hat JBoss Web Server 5.2 on RHEL 6 Red Hat JBoss Web Server 5.2 on RHEL 8
Via RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2019:3929
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-12-02 19:04:51
--- Comment #7 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-0199
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
--- Doc Text *updated* by Paramvir jindal pjindal@redhat.com --- A flaw was found in Apache Tomcat where HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open which enables them to cause server-side threads to block and eventually leading to a DoS attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in Apache Tomcat, where the HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open, which enables them to cause server-side threads to block. This flaw eventually leads to a denial of service attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Runtimes Spring Boot 2.1.12
Via RHSA-2020:2366 https://access.redhat.com/errata/RHSA-2020:2366
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2366
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com
--- Comment #10 from Joshua Mulliken jmullike@redhat.com --- Adding RHSSO. A vulnerable version of tomcat-api was detected in a newly generated BOM:
{ "group": "org.apache.tomcat", "name": "tomcat-api", "version": "7.0.92", "description": "Definition of interfaces shared by Catalina and Jasper", "hashes": [ { "alg": "MD5", "content": "beeba9a893d8f9b1fb6030c85936d8f0" }, { "alg": "SHA-1", "content": "8be254a4fe5bbba7495a78f835053ce1e1846c54" }, { "alg": "SHA-256", "content": "d661c70a1719eba641925adac4994ad4dca0e2e43a9ea402b4ca4a9abf29d0f3" }, { "alg": "SHA-384", "content": "5e5fe33329bd24d715ff810874ae1f09014f25e7ecc5a9f105e72477c14a29e6d8d7f6b8b5a930eea7ebe9235232e048" }, { "alg": "SHA-512", "content": "293f3ddf3aa232d61cc7cd44594bd3457aebaafec00bab5414097ab318d79f6584c293a33944e036e582c952e0b60fc5a11681a6329913b9d3d04568763f459b" }, { "alg": "SHA3-256", "content": "7a29bdac2f51d7819594c72862c579b379c99dedf9ac2de492b4298a6a549230" }, { "alg": "SHA3-384", "content": "d354f751ad6627345fb60ee0f326904a356035c46f822b2d3809d8790b47cb275c445fad641b6835c0ab570d38323792" }, { "alg": "SHA3-512", "content": "4bdcb5a5bd7538382e4d8f2d8ba8be17786162b7afc16cdcac15817adc143eeeb02329584951eb05937907a1d6a5e4a52c9c329cdd37881e99a2fd08f666a7bc" } ], "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:maven/org.apache.tomcat/tomcat-api@7.0.92?type=jar", "type": "library", "bom-ref": "pkg:maven/org.apache.tomcat/tomcat-api@7.0.92?type=jar" }
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jmullike@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com |
java-sig-commits@lists.stg.fedoraproject.org