CVE-2024-34750 - Improper Handling of Exceptional Conditions and Uncontrolled Resource Consumption in Apache Tomcat Leads to Possible Denial of Services

A vulnerability (CVE-2024-34750) has been discovered in Apache Tomcat, a popular open-source web server implementation for the Java platform. The vulnerability lies in the improper handling of exceptional conditions when processing HTTP/2 streams with excessive HTTP headers. This leads to a miscount of active HTTP/2 streams and the incorrect use of an infinite timeout, allowing connections to remain open when they should have been closed. This can result in resource exhaustion leading to possible denial-of-service attacks.

9..90

These versions contain the necessary patches to address the vulnerability.

Exploit Details

The vulnerability is in the HTTP/2 stream handler code of Apache Tomcat, specifically in the way it handles exceptional conditions when processing an HTTP/2 stream. The code does not appropriately handle some cases of excessive HTTP headers, leading to a miscounting of active HTTP/2 streams.

Here is a snippet of the vulnerable code in the HTTP/2 handler

private void processHeaders(Http2Headers headers) {
    // ...
    if (headerCount > maxHeaderCount) {
        // ...
    } else {
        headerCount++;
        // process header ...
    }
}

The issue occurs when the headerCount variable, which keeps track of the number of active HTTP/2 streams, is incremented without properly checking for conditions that would cause the counter to be incremented too many times. This can result in incorrect stream management, leading to resource consumption issues.

The use of an infinite timeout makes the situation worse, as it allows problematic connections to remain open indefinitely. The impact of this vulnerability can be severe, as an attacker could exploit this vulnerability to open numerous connections to the server and exhaust its resources, leading to a denial-of-service (DoS) attack.

For more information on this vulnerability, consult the following official sources

- CVE: CVE-2024-34750
- Apache Tomcat Official Announcement
- Apache Tomcat Security Pages
- Apache Tomcat Changelog)

Upgrade Recommendations

If you are using a vulnerable version of Apache Tomcat, it is recommended that you upgrade as soon as possible to the latest patched versions:

- 11..-M21 Download
- 10.1.25 Download
- 9..90 Download

Even if you are not directly using Apache Tomcat, any software that utilizes it - such as web applications and services - may also be affected. Ensure that you update any dependencies and third-party libraries accordingly to mitigate the vulnerability.

Conclusion

Keeping your software up-to-date is critical to ensuring the security and stability of your web applications and services. The discovery and resolution of this vulnerability demonstrate the importance of regularly monitoring security bulletins and promptly applying relevant patches to protect from potential attacks. Users of Apache Tomcat should take action to address this vulnerability and prevent potential denial-of-service attacks.

Timeline

Published on: 07/03/2024 20:15:04 UTC
Last modified on: 07/09/2024 16:22:37 UTC