The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Metrics

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Tomcat
Redhat
  • Jboss Enterprise Web Server
  • Openshift Application Runtimes

Configuration 1 [-]

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat JBoss Web Server 5
tomcat cpe:/a:redhat:jboss_enterprise_web_server:5.2 RHSA-2019:3931 2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 6
jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 RHSA-2019:3929 2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 7
jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 RHSA-2019:3929 2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 8
jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 RHSA-2019:3929 2019-11-20T00:00:00Z
Red Hat Runtimes Spring Boot 2.1.12
tomcat cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2020:2366 2020-06-04T00:00:00Z
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html cve-icon cve-icon
http://www.securityfocus.com/bid/107674 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3929 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3931 cve-icon cve-icon
https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3Cusers.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3Cusers.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3Ccommits.tomee.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3Cusers.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-0199 cve-icon
https://seclists.org/bugtraq/2019/Dec/43 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190419-0001/ cve-icon cve-icon
https://support.f5.com/csp/article/K17321505 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-0199 cve-icon
https://www.debian.org/security/2019/dsa-4596 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2019-04-10T14:21:50

Updated: 2024-08-04T17:44:15.322Z

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0199

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-04-10T15:29:00.390

Modified: 2023-12-08T16:41:18.860

Link: CVE-2019-0199

cve-icon Redhat

Severity : Important

Publid Date: 2019-03-25T00:00:00Z

Links: CVE-2019-0199 - Bugzilla