You are here

Apache Tomcat DoS Vulnerability on HTTP/2

Tomcat, DoS, Denial of Service, HTTP/2

The Apache Tomcat HTTP Server versions before 8.5.38 / 9.0.16 are affected by a severe DoS vulnerability CVE-2019-0199. If the HTTP/2 implementation is used, an attacker can block threads which leads to DoS.

Airlock IAM is not affected

Airlock IAM 7.0 is not affected, since HTTP/2 is disabled and cannot be used. Older versions of Airlock IAM are not affected in the default configuration, as HTTP/2 is disabled. If HTTP/2 was manually enabled, Airlock WAF protects as described below.

Airlock WAF is not affected

Airlock WAF is not affected because HTTP/2 is disabled for the Apache Tomcat HTTP Server. Airlock WAF further protects back-ends, since HTTP/2 is not used for back-end connections.


No action is required.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock