Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Security Update for Apache Tomcat

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8572 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8497 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8543 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8567 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8528 advisory.

    Tomcat is the servlet engine that is used in the official Reference Implementation for the Java Servlet     and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by     Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and     released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the     best-of-breed developers from around the world.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8494 advisory.

    Tomcat is the servlet engine that is used in the official Reference Implementation for the Java Servlet     and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by     Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and     released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the     best-of-breed developers from around the world.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:3510-1 advisory.

    - CVE-2024-38286: OutOfMemory exception triggered through abuse of the TLS handshake process.
    (bsc#1230986)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5696 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5694 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5693 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5695 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5024 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.8.1 serves as a replacement for Red Hat JBoss Web Server 5.8.0.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * jws5-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)
    * jws5-tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4976 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 6.0.3 serves as a replacement for Red Hat JBoss Web Server 6.0.2.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * jws6-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)
    * jws6-tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.25. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.25_security-10 advisory.

  - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache     Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers     correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect     infinite timeout which allowed connections to remain open which should have been closed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1     through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the     issue. (CVE-2024-34750)

  - Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError     by abusing the TLS handshake process, leading to a DoS vulnerability (CVE-2024-38286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
210566	RHEL 8 : pki-deps:10.6 (RHSA-2024:8572)	Nessus	Red Hat Local Security Checks	high
210523	RHEL 8 : pki-deps:10.6 (RHSA-2024:8497)	Nessus	Red Hat Local Security Checks	high
210519	RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2024:8543)	Nessus	Red Hat Local Security Checks	high
210516	RHEL 8 : pki-deps:10.6 (RHSA-2024:8567)	Nessus	Red Hat Local Security Checks	high
209893	RHEL 9 : pki-servlet-engine (RHSA-2024:8528)	Nessus	Red Hat Local Security Checks	high
209884	RHEL 9 : pki-servlet-engine (RHSA-2024:8494)	Nessus	Red Hat Local Security Checks	high
208063	SUSE SLES12 Security Update : tomcat (SUSE-SU-2024:3510-1)	Nessus	SuSE Local Security Checks	high
206033	RHEL 9 : tomcat (RHSA-2024:5696)	Nessus	Red Hat Local Security Checks	high
206032	RHEL 8 : tomcat (RHSA-2024:5694)	Nessus	Red Hat Local Security Checks	high
206030	RHEL 9 : tomcat (RHSA-2024:5693)	Nessus	Red Hat Local Security Checks	high
206029	RHEL 8 : tomcat (RHSA-2024:5695)	Nessus	Red Hat Local Security Checks	high
205021	RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.8.1 (RHSA-2024:5024)	Nessus	Red Hat Local Security Checks	high
205018	RHEL 8 / 9 : Red Hat JBoss Web Server 6.0.3 (RHSA-2024:4976)	Nessus	Red Hat Local Security Checks	high
201843	Apache Tomcat 10.1.0.M1 < 10.1.25	Nessus	Web Servers	high

Detections

Analytics

CVE-2024-38286

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

high

high

high

high

high