Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks

Overview :

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn’t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.

Affected Product(s) :

Apache Tomcat 9.0.0.M1 to 9.0.0.M17
Apache Tomcat 8.5.0 to 8.5.11
Apache Tomcat 8.0.0.RC1 to 8.0.41
Apache Tomcat 7.0.0 to 7.0.75
Apache Tomcat 6.0.x is not affected

Vulnerability Details :

CVE ID :	CVE-2019-10079
	While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Solution :

Users of the affected versions should apply one of the following mitigations:
– Upgrade to Apache Tomcat 9.0.0.M18 or later
– Upgrade to Apache Tomcat 8.5.12 or later
– Upgrade to Apache Tomcat 8.0.42 or later
– Upgrade to Apache Tomcat 7.0.76 or later

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-41157 : KYUNGRINARA ERP SOLUTION SERP SERVER HARD-CODED CREDENTIALS

CVE-2022-45884 : LINUX KERNEL UP TO 6.0.9 DVBDEV.C DVB_REGISTER_DEVICE USE AFTER FREE

CVE-2022-41875 : OPTICA UP TO 0.10.1 JSON OJ.SAFE_LOAD DESERIALIZATION