On 01/08/2019 19:49, Justiniano, Tony wrote:
> Forwarding from an initial email this morning.
> _______________________________________________________
> Good Morning,
> I have been referred to this team in an attempt to have some questions 
> answered.  Before I ask those question let me provide a little background on 
> how I got to this point.
> Vulnerability scans showed that two of my servers in the DMZ came back with 
> CVE-2019-10072 vulnerability.  The CVE information is below:
> The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 
> connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 
> 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the 
> connection window (stream 0) clients were able to cause server-side threads 
> to block eventually leading to thread exhaustion and a DoS. 
> (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072>)
> The question I have is based on the server.xml configuring the connector and 
> protocols used.  Below are both of my servers server.xml connector entries:
> Server6: <Connector port="443" 
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> Server5: <Connector port="443" 
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> What I have highlighted are the protocols that are used for those specific 
> connectors on the servers.
> So, my question is in your professional opinions, if I'm not calling the 
> http2 protocol in any connector, my servers shouldn't be susceptible to the 
> particular CVE's vulnerability assessment.
> Please let me know if this question can be answered.

If you don't have

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />

nested in a Connector anywhere in your server.xml that you can't
possibly be vulnerable to HTTP/2 related vulnerabilities.

Looks like it is time to start shopping for a new vulnerability scanner.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to