Threat Encyclopedia

Apache.Tomcat.H2C.Memory.Exhaustion.DoS

description-logoDescription

This indicates an attack attempt to exploit a Denial of Service Vulnerability in Apache Software Foundation Tomcat.
The vulnerability is due to a failure to release the HTTP 1.1 processor after initiating a direct h2c connection.
A remote, unauthenticated attacker can exploit this vulnerability by initiating a large number of h2c connections to a vulnerable server. Successful exploitation results in the consumption of excessive amounts of memory, eventually leading to denial of service conditions.

affected-products-logoAffected Products

Apache Software Foundation Tomcat 8.5.0 to 8.5.56
Apache Software Foundation Tomcat 9.0.0.M1 to 9.0.36

Impact

Denial of Service: Remote attackers can crash vulnerable systems.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor.
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37

CVE References

CVE-2020-13934