{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-23672", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-19T11:44:18.348Z", "datePublished": "2024-03-13T15:48:42.610Z", "dateUpdated": "2024-11-18T21:35:31.746Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.0-M16", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.18", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.85", "status": "affected", "version": "9.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.98", "status": "affected", "version": "8.5.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.<p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.</p><p>Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.</p>"}], "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-459", "description": "CWE-459 Incomplete Cleanup", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-13T15:48:42.610Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}], "source": {"discovery": "INTERNAL"}, "title": "Apache Tomcat: WebSocket DoS with incomplete closing handshake", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-13T18:10:26.291000Z", "id": "CVE-2024-23672", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T21:35:31.746Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.345Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/4", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/4", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.345Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-23672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-13T18:10:26.291000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:17.413Z"}}], "cna": {"title": "Apache Tomcat: WebSocket DoS with incomplete closing handshake", "source": {"discovery": "INTERNAL"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.0-M16"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.18"}, {"status": "affected", "version": "9.0.0-M1", "versionType": "semver", "lessThanOrEqual": "9.0.85"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.98"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.<p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.</p><p>Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-459", "description": "CWE-459 Incomplete Cleanup"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-13T15:48:42.610Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23672", "state": "PUBLISHED", "dateUpdated": "2024-11-18T21:35:31.746Z", "dateReserved": "2024-01-19T11:44:18.348Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-03-13T15:48:42.610Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n"}, {"lang": "es", "value": "Denegaci\u00f3n de servicio mediante vulnerabilidad de limpieza incompleta en Apache Tomcat. Los clientes de WebSocket pod\u00edan mantener abiertas las conexiones de WebSocket, lo que generaba un mayor consumo de recursos. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0. 0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema."}], "id": "CVE-2024-23672", "lastModified": "2024-11-21T08:58:08.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-13T16:15:29.287", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240402-0002/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-459"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3666", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tomcat-1:9.0.87-1.el8_10.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-06T00:00:00Z"}, {"advisory": "RHSA-2024:3814", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "tomcat-1:9.0.87-1.el8_8.2", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-06-11T00:00:00Z"}, {"advisory": "RHSA-2024:3307", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tomcat-1:9.0.87-1.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:3308", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "tomcat-1:9.0.87-1.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:1914", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1913", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7", "package": "jws5-tomcat-0:9.0.87-3.redhat_00003.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.8 on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1913", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8", "package": "jws5-tomcat-0:9.0.87-3.redhat_00003.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.8 on RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1913", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9", "package": "jws5-tomcat-0:9.0.87-3.redhat_00003.1.el9jws", "product_name": "Red Hat JBoss Web Server 5.8 on RHEL 9", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1917", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 6", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1916", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el8", "package": "jws6-tomcat-0:10.1.8-7.redhat_00014.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1916", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el9", "package": "jws6-tomcat-0:10.1.8-7.redhat_00014.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 9", "release_date": "2024-05-07T00:00:00Z"}], "bugzilla": {"description": "Tomcat: WebSocket DoS with incomplete closing handshake", "id": "2269608", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269608"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-459", "details": ["Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.", "A denial of service (DoS) vulnerability present in the Apache Tomcat package arises from an incomplete cleanup process. Specifically, WebSocket clients can perpetuate WebSocket connections without proper termination, thereby causing a sustained drain on system resources. This vulnerability facilitates the exploitation of Apache Tomcat servers, leading to a scenario where excessive resource consumption occurs due to the prolonged existence of these open WebSocket connections. As a consequence, the server's performance may degrade significantly, resulting in potential service disruption or unresponsiveness."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-23672", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23672\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23672\nhttps://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"], "statement": "This Denial of Service (DoS) vulnerability within the Apache Tomcat package represents an Important severity issue due to its potential to significantly impact system availability and performance. By allowing WebSocket clients to maintain open connections without proper cleanup, the vulnerability facilitates the sustained consumption of server resources. This exploitation results in increased CPU, memory, and network utilization, ultimately leading to server degradation or unresponsiveness. The inability to terminate these lingering connections efficiently exacerbates the severity of the issue, as it enables attackers to exploit limited resources over an extended period, amplifying the impact of the attack.\nRed Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there are no entry point for WebSockets, and thus it is not possible to trigger the flaw in a supported setup.", "threat_severity": "Important", "upstream_fix": "Apache Tomcat 11.0.0-M17, Apache Tomcat 10.1.19, Apache Tomcat 9.0.86, Apache Tomcat 8.5.99"}