On Fri, Sep 27, 2024 at 8:37 PM Amarendra Godbole <amarendra.godb...@gmail.com> wrote: > > On Mon, Sep 23, 2024 at 5:54 AM Mark Thomas <ma...@apache.org> wrote: > > > > CVE-2024-38286 Apache Tomcat - Denial of Service > > > > Severity: Important > > > > Vendor: The Apache Software Foundation > > > > Versions Affected: > > Apache Tomcat 11.0.0-M1 to 11.0.0-M20 > > Apache Tomcat 10.1.0-M1 to 10.1.24 > > Apache Tomcat 9.0.13 to 9.0.89 > > > > Description: > > Tomcat, under certain configurations on any platform, allows an attacker > > to cause an OutOfMemoryError by abusing the TLS handshake process. > > > > Mitigation: > > Users of the affected versions should apply one of the following > > mitigations: > > - Upgrade to Apache Tomcat 11.0.0-M21 or later > > - Upgrade to Apache Tomcat 10.1.25 or later > > - Upgrade to Apache Tomcat 9.0.90 or later > > > > Credit: > > This vulnerability was reported responsibly to the Tomcat security team > > by Ozaki, North Grid Corporation > > > > History: > > 2024-07-03 Original advisory > [...] > > Based on the commit [1], is it safe to assume the issue only impacts > when TLS 1.3 is being used?
That is correct. Rémy > Thanks. > > -Amarendra > > [1] > https://github.com/apache/tomcat/commit/76c5cce6f0bcef14b0c21c38910371ca7d322d13 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
