On Mon, Sep 23, 2024 at 5:54 AM Mark Thomas <ma...@apache.org> wrote: > > CVE-2024-38286 Apache Tomcat - Denial of Service > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 11.0.0-M1 to 11.0.0-M20 > Apache Tomcat 10.1.0-M1 to 10.1.24 > Apache Tomcat 9.0.13 to 9.0.89 > > Description: > Tomcat, under certain configurations on any platform, allows an attacker > to cause an OutOfMemoryError by abusing the TLS handshake process. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 11.0.0-M21 or later > - Upgrade to Apache Tomcat 10.1.25 or later > - Upgrade to Apache Tomcat 9.0.90 or later > > Credit: > This vulnerability was reported responsibly to the Tomcat security team > by Ozaki, North Grid Corporation > > History: > 2024-07-03 Original advisory [...]
Based on the commit [1], is it safe to assume the issue only impacts when TLS 1.3 is being used? Thanks. -Amarendra [1] https://github.com/apache/tomcat/commit/76c5cce6f0bcef14b0c21c38910371ca7d322d13 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
