Hi Mark/All, As we are using Apache Http server with Ajp proxy with tomcat. We are also using Apache Http server with Http2. Is this vulnerability applicable to such configurations or not?
Please provide input for below configuration 1. Apache Http Server + AJP proxy+ tomcat with AJP worked Vulnerability applicable or not? 2. Apache Http server + Tomcat with Http proxy Vulnerability applicable or not? Thanks and Regards, Rajendra Rathore 9922701491 -----Original Message----- From: Mark Thomas <ma...@apache.org> Sent: Monday, November 18, 2024 4:48 PM To: Tomcat Users List <users@tomcat.apache.org> Cc: annou...@apache.org; annou...@tomcat.apache.org; Tomcat Developers List <d...@tomcat.apache.org> Subject: [SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up CVE-2024-52317 Apache Tomcat - Request and/or response mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M23 to 11.0.0-M26 Apache Tomcat 10.1.7 to 10.1.30 Apache Tomcat 9.0.92 to 9.0.95 Description: Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0 or later - Upgrade to Apache Tomcat 10.1.31 or later - Upgrade to Apache Tomcat 9.0.96 or later Credit: This vulnerability identified by the Tomcat security team History: 2024-11-18 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org