Overview :
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn’t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
Affected Product(s) :
  • Apache Tomcat 9.0.0.M1 to 9.0.0.M17
  • Apache Tomcat 8.5.0 to 8.5.11
  • Apache Tomcat 8.0.0.RC1 to 8.0.41
  • Apache Tomcat 7.0.0 to 7.0.75
  • Apache Tomcat 6.0.x is not affected
Vulnerability Details :
CVE ID : CVE-2019-10079
While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Solution :

Users of the affected versions should apply one of the following mitigations:
– Upgrade to Apache Tomcat 9.0.0.M18 or later
– Upgrade to Apache Tomcat 8.5.12 or later
– Upgrade to Apache Tomcat 8.0.42 or later
– Upgrade to Apache Tomcat 7.0.76 or later