CVE-2017-5650 Apache Tomcat Denial of Service Severity: Important
Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.x and earlier are not affected Description The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later Credit: This issue was identified by Chun Han Hsiao and reported responsibly to the Tomcat security team. History: 2017-04-10 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
