oss-sec mailing list archives

CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake

From: Mark Thomas <markt () apache org>
Date: Wed, 13 Mar 2024 15:49:34 +0000

Severity: important

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.0-M16
- Apache Tomcat 10.1.0-M1 through 10.1.18
- Apache Tomcat 9.0.0-M1 through 9.0.85
- Apache Tomcat 8.5.0 through 8.5.98

Description:

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat.It was possible for WebSocket clients to keep WebSocket connections openleading to increased resource consumption.This issue affects ApacheTomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86or 8.5.99 which fixes the issue.


References:

https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-23672

Current thread:

CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake Mark Thomas (Mar 13)