Apache Tomcat: Denial of Service
Description
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89.
The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.
Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-utilMaven | >= 11.0.0-M1, < 11.0.0-M21 | 11.0.0-M21 |
org.apache.tomcat:tomcat-utilMaven | >= 10.1.0-M1, < 10.1.25 | 10.1.25 |
org.apache.tomcat:tomcat-utilMaven | >= 9.0.13, < 9.0.90 | 9.0.90 |
org.apache.tomcat:tomcat-utilMaven | >= 8.5.35, <= 8.5.100 | — |
org.apache.tomcat:tomcat-utilMaven | >= 7.0.92, <= 7.0.109 | — |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/tomcat-9-openjdk-11pkg:apk/chainguard/tomcat-9-openjdk-17pkg:apk/chainguard/tomcat-9-openjdk-21pkg:apk/chainguard/tomcat-9-openjdk-8pkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcat-utilpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 9.0.112-r0+ 9 more
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: >= 9.0.13, < 9.0.90
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M21
- (no CPE)range: < 9.0.36-3.130.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.130.1
- (no CPE)range: < 9.0.115-3.160.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-7jqf-v358-p8g7ghsaADVISORY
- lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4sghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-38286ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/09/23/2ghsaWEB
- github.com/apache/tomcat/commit/3197862639732e16ec1164557bcd289ebc116c93ghsaWEB
- github.com/apache/tomcat/commit/3344c17cef094da4bb616f4186ed32039627b543ghsaWEB
- github.com/apache/tomcat/commit/76c5cce6f0bcef14b0c21c38910371ca7d322d13ghsaWEB
- lists.debian.org/debian-lts-announce/2025/01/msg00009.htmlghsaWEB
- security.netapp.com/advisory/ntap-20241101-0010ghsaWEB
News mentions
0No linked articles in our index yet.