Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.0-M20
- Apache Tomcat 10.1.0-M1 through 10.1.24
- Apache Tomcat 9.0.13 through 9.0.89
Description:
Allocation of Resources Without Limits or Throttling vulnerability in
Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20,
from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older,
unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or
9.0.90, which fixes the issue.
Apache Tomcat, under certain configurations on any platform, allows an
attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Credit:
Ozaki, North Grid Corporation (reporter)
References:
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-38286
Timeline:
2024-06-04: Issue reported to Apache Tomcat Security Team
