CVE Vulnerabilities

CVE-2024-34750

Uncontrolled Resource Consumption

Published: Jul 03, 2024 | Modified: Aug 08, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Tomcat Apache 9.0.0 (including) 9.0.90 (excluding)
Tomcat Apache 10.1.0 (including) 10.1.25 (excluding)
Tomcat Apache 11.0.0-milestone1 (including) 11.0.0-milestone1 (including)
Tomcat Apache 11.0.0-milestone10 (including) 11.0.0-milestone10 (including)
Tomcat Apache 11.0.0-milestone11 (including) 11.0.0-milestone11 (including)
Tomcat Apache 11.0.0-milestone12 (including) 11.0.0-milestone12 (including)
Tomcat Apache 11.0.0-milestone13 (including) 11.0.0-milestone13 (including)
Tomcat Apache 11.0.0-milestone14 (including) 11.0.0-milestone14 (including)
Tomcat Apache 11.0.0-milestone15 (including) 11.0.0-milestone15 (including)
Tomcat Apache 11.0.0-milestone16 (including) 11.0.0-milestone16 (including)
Tomcat Apache 11.0.0-milestone17 (including) 11.0.0-milestone17 (including)
Tomcat Apache 11.0.0-milestone18 (including) 11.0.0-milestone18 (including)
Tomcat Apache 11.0.0-milestone19 (including) 11.0.0-milestone19 (including)
Tomcat Apache 11.0.0-milestone2 (including) 11.0.0-milestone2 (including)
Tomcat Apache 11.0.0-milestone20 (including) 11.0.0-milestone20 (including)
Tomcat Apache 11.0.0-milestone3 (including) 11.0.0-milestone3 (including)
Tomcat Apache 11.0.0-milestone4 (including) 11.0.0-milestone4 (including)
Tomcat Apache 11.0.0-milestone5 (including) 11.0.0-milestone5 (including)
Tomcat Apache 11.0.0-milestone6 (including) 11.0.0-milestone6 (including)
Tomcat Apache 11.0.0-milestone7 (including) 11.0.0-milestone7 (including)
Tomcat Apache 11.0.0-milestone8 (including) 11.0.0-milestone8 (including)
Tomcat Apache 11.0.0-milestone9 (including) 11.0.0-milestone9 (including)
Red Hat Enterprise Linux 8 RedHat tomcat-1:9.0.87-1.el8_10.2 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat tomcat-1:9.0.87-1.el8_8.3 *
Red Hat Enterprise Linux 9 RedHat tomcat-1:9.0.87-1.el9_4.2 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat tomcat-1:9.0.87-1.el9_2.2 *
Red Hat JBoss Web Server 5 RedHat jws5-tomcat *
Red Hat JBoss Web Server 5.8 on RHEL 7 RedHat jws5-tomcat-0:9.0.87-5.redhat_00005.1.el7jws *
Red Hat JBoss Web Server 5.8 on RHEL 8 RedHat jws5-tomcat-0:9.0.87-5.redhat_00005.1.el8jws *
Red Hat JBoss Web Server 5.8 on RHEL 9 RedHat jws5-tomcat-0:9.0.87-5.redhat_00005.1.el9jws *
Red Hat JBoss Web Server 6 RedHat jws6-tomcat *
Red Hat JBoss Web Server 6.0 on RHEL 8 RedHat jws6-tomcat-0:10.1.8-10.redhat_00018.1.el8jws *
Red Hat JBoss Web Server 6.0 on RHEL 9 RedHat jws6-tomcat-0:10.1.8-10.redhat_00018.1.el9jws *
Tomcat10 Ubuntu esm-apps/noble *
Tomcat10 Ubuntu mantic *
Tomcat10 Ubuntu noble *
Tomcat10 Ubuntu upstream *
Tomcat6 Ubuntu trusty/esm *
Tomcat6 Ubuntu upstream *
Tomcat7 Ubuntu trusty/esm *
Tomcat7 Ubuntu upstream *
Tomcat9 Ubuntu devel *
Tomcat9 Ubuntu esm-apps/bionic *
Tomcat9 Ubuntu esm-apps/focal *
Tomcat9 Ubuntu esm-apps/jammy *
Tomcat9 Ubuntu esm-apps/noble *
Tomcat9 Ubuntu focal *
Tomcat9 Ubuntu jammy *
Tomcat9 Ubuntu mantic *
Tomcat9 Ubuntu noble *
Tomcat9 Ubuntu oracular *
Tomcat9 Ubuntu plucky *
Tomcat9 Ubuntu upstream *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References