Home

CVE-2019-10072

Description

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
72.141

Associated Vulnerability

VulnerabilityOS Platform
CVE-2019-10072 and CVE-2019-0199 Fixed in Apache Tomcat 9.0.20Windows
CVE-2019-10072 and CVE-2019-0199 Fixed in Apache Tomcat 8.5.41Windows
Vulnerabilities CVE-2019-10072 are fixed in Apache - tomcat-embed-core 9.0.20Windows
Vulnerabilities CVE-2019-10072 are fixed in Apache - tomcat-embed-core 8.5.41Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.4Windows
Vulnerabilities CVE-2019-10072,CVE-2021-4104,CVE-2021-42340,CVE-2022-23305 are affected in IBM UrbanCode Deploy 7.0.3.2Windows
Servlet and JSP engine (USN-4128-1) tomcat8_8.0.32-1ubuntu1.10_all.debLinux
Servlet and JSP engine (USN-4128-1) tomcat8_8.5.39-1ubuntu1~18.04.3_all.debLinux
Servlet and JSP engine (USN-4128-1) libtomcat8-java_8.0.32-1ubuntu1.10_all.debLinux
Servlet and JSP engine (USN-4128-1) libtomcat8-java_8.5.39-1ubuntu1~18.04.3_all.debLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-admin-webapps-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-docs-webapp-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-admin-webapps-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-el-3_0-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-docs-webapp-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-javadoc-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-el-3_0-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-jsp-2_3-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-javadoc-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-lib-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-jsp-2_3-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-servlet-4_0-api-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-lib-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP4 ) tomcat-webapps-9.0.31-3.25.1.noarch.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-servlet-4_0-api-9.0.31-3.25.1.noarch_SP5.rpmLinux
SUSE-SU-2020:0632-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-webapps-9.0.31-3.25.1.noarch_SP5.rpmLinux
tomcat9 security update(DSA-4680-1) tomcat9_9.0.31-1~deb10u1_all.debLinux
CVE-2019-10072 and CVE-2019-0199 Fixed in Apache Tomcat 9.0.20 (For Linux)Linux
CVE-2019-10072 and CVE-2019-0199 Fixed in Apache Tomcat 8.5.41 (For Linux)Linux
Vulnerabilities CVE-2019-10072 are fixed in Apache - tomcat-embed-core for Linux 9.0.20Linux
Vulnerabilities CVE-2019-10072 are fixed in Apache - tomcat-embed-core for Linux 8.5.41Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234