{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38286", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-06-12T16:27:23.740Z", "datePublished": "2024-11-07T07:37:32.224Z", "dateUpdated": "2024-11-07T16:36:00.935Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.0-M20", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.24", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.89", "status": "affected", "version": "9.0.13", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Ozaki, North Grid Corporation"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.<br></p><p>Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.</p><p></p><div>Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.<br></div><br><p></p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.\n\n\n\nApache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-11-07T07:37:32.224Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-06-04T06:21:00.000Z", "value": "Issue reported to Apache Tomcat Security Team"}], "title": "Apache Tomcat: Denial of Service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/23/2"}, {"url": "https://security.netapp.com/advisory/ntap-20241101-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-11-07T08:03:33.093Z"}}, {"affected": [{"vendor": "apache", "product": "tomcat", "cpes": ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "11.0.0-m1", "status": "affected", "lessThanOrEqual": "11.0.0-m20", "versionType": "semver"}, {"version": "10.1.0-m1", "status": "affected", "lessThanOrEqual": "10.1.24", "versionType": "semver"}, {"version": "9.0.13", "status": "affected", "lessThanOrEqual": "9.0.89", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-07T16:33:49.152023Z", "id": "CVE-2024-38286", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-07T16:36:00.935Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38286", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-06-12T16:27:23.740Z", "datePublished": "2024-11-07T07:37:32.224Z", "dateUpdated": "2024-11-07T16:36:00.935Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.0-M20", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.24", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.89", "status": "affected", "version": "9.0.13", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Ozaki, North Grid Corporation"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.<br></p><p>Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.</p><p></p><div>Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.<br></div><br><p></p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.\n\n\n\nApache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-11-07T07:37:32.224Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-06-04T06:21:00.000Z", "value": "Issue reported to Apache Tomcat Security Team"}], "title": "Apache Tomcat: Denial of Service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/23/2"}, {"url": "https://security.netapp.com/advisory/ntap-20241101-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-11-07T08:03:33.093Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38286", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-07T16:33:49.152023Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "tomcat", "versions": [{"status": "affected", "version": "11.0.0-m1", "versionType": "semver", "lessThanOrEqual": "11.0.0-m20"}, {"status": "affected", "version": "10.1.0-m1", "versionType": "semver", "lessThanOrEqual": "10.1.24"}, {"status": "affected", "version": "9.0.13", "versionType": "custom", "lessThanOrEqual": "9.0.89"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-07T16:35:47.994Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.\n\n\n\nApache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process."}, {"lang": "es", "value": "Vulnerabilidad de asignaci\u00f3n de recursos sin l\u00edmites o limitaci\u00f3n de recursos en Apache Tomcat. Este problema afecta a Apache Tomcat: desde la versi\u00f3n 11.0.0-M1 hasta la 11.0.0-M20, desde la versi\u00f3n 10.1.0-M1 hasta la 10.1.24, desde la versi\u00f3n 9.0.13 hasta la 9.0.89. Tambi\u00e9n pueden verse afectadas versiones anteriores no compatibles. Se recomienda a los usuarios que actualicen a la versi\u00f3n 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema. Apache Tomcat, en determinadas configuraciones de cualquier plataforma, permite a un atacante provocar un error OutOfMemoryError abusando del proceso de enlace TLS."}], "id": "CVE-2024-38286", "lastModified": "2024-11-08T19:01:03.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-11-07T08:15:13.007", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:5694", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tomcat-1:9.0.87-1.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:8567", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "pki-deps:10.6-8020020241017135048.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8497", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "pki-deps:10.6-8040020241017141927.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:8497", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "pki-deps:10.6-8040020241017141927.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:8497", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "pki-deps:10.6-8040020241017141927.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:8572", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "pki-deps:10.6-8060020241017143140.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8572", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "pki-deps:10.6-8060020241017143140.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:8572", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "pki-deps:10.6-8060020241017143140.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-29T00:00:00Z"}, {"advisory": "RHSA-2024:5695", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "tomcat-1:9.0.87-1.el8_8.3", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:8543", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "pki-core:10.6-8080020241014201334.693a3987", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:8543", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "pki-deps:10.6-8080020241014222908.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:5693", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tomcat-1:9.0.87-1.el9_4.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:8528", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "pki-servlet-engine-1:9.0.43-4.el9_0.1", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:5696", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "tomcat-1:9.0.87-1.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:8494", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "pki-servlet-engine-1:9.0.50-1.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:5025", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5024", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7", "package": "jws5-tomcat-0:9.0.87-5.redhat_00005.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.8 on RHEL 7", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5024", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8", "package": "jws5-tomcat-0:9.0.87-5.redhat_00005.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.8 on RHEL 8", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5024", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9", "package": "jws5-tomcat-0:9.0.87-5.redhat_00005.1.el9jws", "product_name": "Red Hat JBoss Web Server 5.8 on RHEL 9", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:4977", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0", "product_name": "Red Hat JBoss Web Server 6", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:4976", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el8", "package": "jws6-tomcat-0:10.1.8-10.redhat_00018.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 8", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:4976", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el9", "package": "jws6-tomcat-0:10.1.8-10.redhat_00018.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 9", "release_date": "2024-08-06T00:00:00Z"}], "bugzilla": {"description": "tomcat: Denial of Service in Tomcat", "id": "2314686", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314686"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.\nApache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.", "A vulnerability was found in Tomcat. Under certain configurations on any platform, this flaw allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-38286", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38286\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38286\nhttps://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s"], "statement": "CVE-2024-38286 represents an important security issue due to its potential to cause an `OutOfMemoryError` through the exploitation of the TLS handshake process in Apache Tomcat. This vulnerability specifically impacts configurations using TLS 1.3, which is increasingly adopted for secure communications. The ability for an attacker to trigger an OutOfMemoryError can lead to a denial-of-service (DoS) condition, effectively rendering the application or server inoperable.\nThe issue only affects configurations that utilize TLS 1.3.", "threat_severity": "Important"}