Am 05.06.2026 um 17:04 schrieb Mark Thomas:
On 04/06/2026 21:46, Christopher Schultz wrote:
<snip/>
Just remember: every request to a web server is basically an attack.
The only thing that makes something "bad" is if it's worse than normal
users hammering-away on your server with legitimate traffic.
Big +1 to this.
This is true. Sometimes it is hard to tell if a website is just a victim
of its own success or if a DoS attack is going on.
Reading https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
and https://github.com/califio/publications/tree/main/MADBugs/http2-
bomb it looks like the attack and blast radius is very implementation
specific.
If yes, the short term solution could be to disable HTTP/2.
Feel free to disable http/2, but my analysis is that Tomcat is as
protected as it can be at this point. I don't believe Tomcat is
affected by CVE-2026-49975.
Agreed. Various Tomcat limits should protect against this attack but the
key one looks to be maximum header size which is set at 8KiB.
Using the terminology of the report, Tomcat has fairly low "per-entry
book-keeping" but Tomcat also explicitly takes account of that overhead
when calculating usage against the limit.
To be sure, I took the PoC that was provided for httpd and ran it
against a default Tomcat build of 12.0.x HEAD. The connections were
closed down pretty much instantly for excessive headers.
As with all open specifications setting a limit will always find an
application that exceeds it. Always a balance between experience and
https://xkcd.com/221/.
As this vulnerability depends on chaining two different attack vectors I
do not have the skills to know at what I should look at. So thank you
Christopher and Mark for your evaluation.
- Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
