Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:5024 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.8.1 serves as a replacement for Red Hat JBoss Web Server 5.8.0.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * jws5-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:4976 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 6.0.3 serves as a replacement for Red Hat JBoss Web Server 6.0.2.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * jws6-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-661 advisory.

    Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache     Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers     correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect     infinite timeout which allowed connections to remain open which should have been closed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from     9.0.0-M1 through 9.0.89.

    Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
    (CVE-2024-34750)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2539-1 advisory.

    - CVE-2024-34750: Fixed improper handling of exceptional conditions (bsc#1227399)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2485-1 advisory.

    Updated to version 9.0.91:

    - CVE-2024-34750: Fixed an improper handling of exceptional       conditions (bsc#1227399).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2413-1 advisory.

    - CVE-2024-34750: Fixed an improper handling of exceptional       conditions (bsc#1227399).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 to 9.0.89, 10.1.0-M1 to 10.1.24 or 11.0.0-M1 to 11.0.0-M20. It is, therefore, affected by a denial of service. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.90. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.90_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 11.0.0-M21. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_11.0.0-m21_security-11 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.1.25. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.25_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.90. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.90_security-9 advisory.

  - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache     Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers     correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect     infinite timeout which allowed connections to remain open which should have been closed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1     through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the     issue. (CVE-2024-34750)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.25. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.25_security-10 advisory.

  - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache     Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers     correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect     infinite timeout which allowed connections to remain open which should have been closed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1     through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the     issue. (CVE-2024-34750)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.0.M21. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_11.0.0-m21_security-11 advisory.

  - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache     Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers     correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect     infinite timeout which allowed connections to remain open which should have been closed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1     through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the     issue. (CVE-2024-34750)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
205021	RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.8.1 (RHSA-2024:5024)	Nessus	Red Hat Local Security Checks	high
205018	RHEL 8 / 9 : Red Hat JBoss Web Server 6.0.3 (RHSA-2024:4976)	Nessus	Red Hat Local Security Checks	high
202911	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2024-661)	Nessus	Amazon Linux Local Security Checks	high
202756	SUSE SLES12 Security Update : tomcat (SUSE-SU-2024:2539-1)	Nessus	SuSE Local Security Checks	high
202462	SUSE SLES15 / openSUSE 15 Security Update : tomcat (SUSE-SU-2024:2485-1)	Nessus	SuSE Local Security Checks	high
202249	SUSE SLES15 / openSUSE 15 Security Update : tomcat10 (SUSE-SU-2024:2413-1)	Nessus	SuSE Local Security Checks	high
114366	Apache Tomcat 9.0.0-M1 < 9.0.90 Denial Of Service	Web App Scanning	Component Vulnerability	high
114365	Apache Tomcat 10.1.0-M1 < 10.1.25 Denial Of Service	Web App Scanning	Component Vulnerability	high
114364	Apache Tomcat 11.0.0-M1 < 11.0.0-M21 Denial Of Service	Web App Scanning	Component Vulnerability	high
701472	Apache Tomcat < 9.0.90 Vulnerability	Nessus Network Monitor	Web Servers	medium
701471	Apache Tomcat < 11.0.0-M21 Vulnerability	Nessus Network Monitor	Web Servers	medium
701470	Apache Tomcat < 10.1.25 Vulnerability	Nessus Network Monitor	Web Servers	medium
201848	Apache Tomcat 9.0.0.M1 < 9.0.90	Nessus	Web Servers	high
201843	Apache Tomcat 10.1.0.M1 < 10.1.25	Nessus	Web Servers	high
201842	Apache Tomcat 11.0.0.M1 < 11.0.0.M21	Nessus	Web Servers	high

Detections

Analytics

CVE-2024-34750

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

medium

medium

medium

high

high

high