You are here
Apache Tomcat DoS Vulnerability on HTTP/2
Submitted on 28. March 2019 - 9:31 by Anonymous (not verified).
Last update on 18. August 2020 - 16:43.
Last update on 18. August 2020 - 16:43.
IDs:
CVE-2019-0199
Keywords:
Tomcat, DoS, Denial of Service, HTTP/2
Description:
The Apache Tomcat HTTP Server versions before 8.5.38 / 9.0.16 are affected by a severe DoS vulnerability CVE-2019-0199. If the HTTP/2 implementation is used, an attacker can block threads which leads to DoS.
Airlock IAM is not affected
Airlock IAM 7.0 is not affected, since HTTP/2 is disabled and cannot be used. Older versions of Airlock IAM are not affected in the default configuration, as HTTP/2 is disabled. If HTTP/2 was manually enabled, Airlock WAF protects as described below.
Airlock WAF is not affected
Airlock WAF is not affected because HTTP/2 is disabled for the Apache Tomcat HTTP Server. Airlock WAF further protects back-ends, since HTTP/2 is not used for back-end connections.
Resolution:
No action is required.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Does not affect back-end behind Airlock