Vulnerability Management

Apache advisory addresses incomplete Tomcat update


Apache released a security advisory for Apache Tomcat to address a vulnerability, CVE-2019-10072, which could allow an attacker to cause a denial-of-service condition.

The issue was caused by an incomplete fix for the CVE-2019-019 vulnerability that did not address the  window exhaustion on write.

“By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS,” the June 20 security advisory said.

The vulnerability has a severity rating of “Important” and affects Apache Tomcat 9.0.0.M1 to 9.0.19 and Apache Tomcat 8.5.0 to 8.5.40.

To mitigate the attack those affected should upgrade to Apache Tomcat 9.0.20 or later, or upgrade to Apache Tomcat 8.5.41 or later.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.