Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Security Update for Apache Tomcat

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5845 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5845-1                   security@debian.org     https://www.debian.org/security/                          Markus Koschany     January 17, 2025                      https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : tomcat10     CVE ID         : CVE-2024-34750 CVE-2024-38286 CVE-2024-50379 CVE-2024-52316                      CVE-2024-54677 CVE-2024-56337

    Several problems have been addressed in Tomcat 10, a Java based web server,     servlet and JSP engine which may lead to a denial-of-service.


    CVE-2024-38286

        Apache Tomcat, under certain configurations, allows an attacker to cause an         OutOfMemoryError by abusing the TLS handshake process.

    CVE-2024-52316

        Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is         configured to use a custom Jakarta Authentication (formerly JASPIC)         ServerAuthContext component which may throw an exception during the         authentication process without explicitly setting an HTTP status to         indicate failure, the authentication may not fail, allowing the user to         bypass the authentication process. There are no known Jakarta         Authentication components that behave in this way.

    CVE-2024-50379 / CVE-2024-56337

        Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP         compilation in Apache Tomcat permits an RCE on case insensitive file         systems when the default servlet is enabled for write (non-default         configuration).
        Some users may need additional configuration to fully mitigate         CVE-2024-50379 depending on which version of Java they are using with         Tomcat. For Debian 12 bookworm the system property         sun.io.useCanonCaches must be explicitly set to false (it defaults to         false). Most Debian users will not be affected because Debian uses case         sensitive file systems by default.

    CVE-2024-34750

        Improper Handling of Exceptional Conditions, Uncontrolled Resource         Consumption vulnerability in Apache Tomcat. When processing an HTTP/2         stream, Tomcat did not handle some cases of excessive HTTP headers         correctly. This led to a miscounting of active HTTP/2 streams which in turn         led to the use of an incorrect infinite timeout which allowed connections         to remain open which should have been closed.

    CVE-2024-54677

        Uncontrolled Resource Consumption vulnerability in the examples web         application provided with Apache Tomcat leads to denial of service.


    For the stable distribution (bookworm), these problems have been fixed in     version 10.1.34-0+deb12u1.

    We recommend that you upgrade your tomcat10 packages.

    For the detailed security status of tomcat10 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat10

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4017 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4017-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     January 17, 2025                              https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : tomcat9     Version        : 9.0.43-2~deb11u11     CVE ID         : CVE-2024-21733 CVE-2024-38286 CVE-2024-50379 CVE-2024-52316                      CVE-2024-56337

    Several problems have been addressed in Tomcat 9, a Java based web server,     servlet and JSP engine which may lead to a denial-of-service or the disclosure     of sensitive information.

    CVE-2024-21733

        Generation of Error Message Containing Sensitive Information vulnerability         in Apache Tomcat.

    CVE-2024-38286

        Apache Tomcat, under certain configurations, allows an attacker to cause an         OutOfMemoryError by abusing the TLS handshake process.

    CVE-2024-52316

        Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is         configured to use a custom Jakarta Authentication (formerly JASPIC)         ServerAuthContext component which may throw an exception during the         authentication process without explicitly setting an HTTP status to         indicate failure, the authentication may not fail, allowing the user to         bypass the authentication process. There are no known Jakarta         Authentication components that behave in this way.

    CVE-2024-50379 / CVE-2024-56337

        Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP         compilation in Apache Tomcat permits an RCE on case insensitive file         systems when the default servlet is enabled for write (non-default         configuration).
        Some users may need additional configuration to fully mitigate         CVE-2024-50379 depending on which version of Java they are using with         Tomcat. For Debian 11 bullseye the system property         sun.io.useCanonCaches must be explicitly set to false (it defaults to         true). Most Debian users will not be affected because Debian uses case         sensitive file systems by default.

    For Debian 11 bullseye, these problems have been fixed in version     9.0.43-2~deb11u11.

    We recommend that you upgrade your tomcat9 packages.

    For the detailed security status of tomcat9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8572 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8497 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8543 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8567 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8528 advisory.

    Tomcat is the servlet engine that is used in the official Reference Implementation for the Java Servlet     and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by     Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and     released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the     best-of-breed developers from around the world.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:8494 advisory.

    Tomcat is the servlet engine that is used in the official Reference Implementation for the Java Servlet     and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by     Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and     released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the     best-of-breed developers from around the world.

    Security Fix(es):

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:3510-1 advisory.

    - CVE-2024-38286: OutOfMemory exception triggered through abuse of the TLS handshake process.
    (bsc#1230986)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5696 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5694 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5693 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5695 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)

    * tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5024 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.8.1 serves as a replacement for Red Hat JBoss Web Server 5.8.0.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * jws5-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)
    * jws5-tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4976 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 6.0.3 serves as a replacement for Red Hat JBoss Web Server 6.0.2.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * jws6-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)
    * jws6-tomcat: Denial of Service in Tomcat (CVE-2024-38286)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 to 9.0.89, 10.1.0-M1 to 10.1.24 or 11.0.0-M1 to 11.0.0-M20. It is, therefore, affected by a denial of service. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.25. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.25_security-10 advisory.

  - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache     Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers     correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect     infinite timeout which allowed connections to remain open which should have been closed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1     through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the     issue. (CVE-2024-34750)

  - Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError     by abusing the TLS handshake process, leading to a DoS vulnerability (CVE-2024-38286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
214338	Debian dsa-5845 : libtomcat10-embed-java - security update	Nessus	Debian Local Security Checks	critical
214321	Debian dla-4017 : libtomcat9-embed-java - security update	Nessus	Debian Local Security Checks	medium
210566	RHEL 8 : pki-deps:10.6 (RHSA-2024:8572)	Nessus	Red Hat Local Security Checks	high
210523	RHEL 8 : pki-deps:10.6 (RHSA-2024:8497)	Nessus	Red Hat Local Security Checks	high
210519	RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2024:8543)	Nessus	Red Hat Local Security Checks	high
210516	RHEL 8 : pki-deps:10.6 (RHSA-2024:8567)	Nessus	Red Hat Local Security Checks	high
209893	RHEL 9 : pki-servlet-engine (RHSA-2024:8528)	Nessus	Red Hat Local Security Checks	high
209884	RHEL 9 : pki-servlet-engine (RHSA-2024:8494)	Nessus	Red Hat Local Security Checks	high
208063	SUSE SLES12 Security Update : tomcat (SUSE-SU-2024:3510-1)	Nessus	SuSE Local Security Checks	high
206033	RHEL 9 : tomcat (RHSA-2024:5696)	Nessus	Red Hat Local Security Checks	high
206032	RHEL 8 : tomcat (RHSA-2024:5694)	Nessus	Red Hat Local Security Checks	high
206030	RHEL 9 : tomcat (RHSA-2024:5693)	Nessus	Red Hat Local Security Checks	high
206029	RHEL 8 : tomcat (RHSA-2024:5695)	Nessus	Red Hat Local Security Checks	high
205021	RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.8.1 (RHSA-2024:5024)	Nessus	Red Hat Local Security Checks	high
205018	RHEL 8 / 9 : Red Hat JBoss Web Server 6.0.3 (RHSA-2024:4976)	Nessus	Red Hat Local Security Checks	high
114366	Apache Tomcat 9.0.0-M1 < 9.0.90 Denial Of Service	Web App Scanning	Component Vulnerability	high
114365	Apache Tomcat 10.1.0-M1 < 10.1.25 Denial Of Service	Web App Scanning	Component Vulnerability	high
114364	Apache Tomcat 11.0.0-M1 < 11.0.0-M21 Denial Of Service	Web App Scanning	Component Vulnerability	high
201843	Apache Tomcat 10.1.0.M1 < 10.1.25	Nessus	Web Servers	high

Detections

Analytics

CVE-2024-38286

high

Tenable Plugins

Coming Soon

critical

medium

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high