CVE-2019-0199:Apache Tomcat DDOS
0X00 Vulnerability Overview
Apache Tomcat HTTP / 2 denial of service vulnerabilities in the application service is allowed to receive a large amount due to the configuration of the flow rate, and the client does not read and write requests in the case where the connection may be maintained for a long time and lead. If the connection request from a client too, could eventually lead to the server thread runs out, an attacker who successfully exploited this vulnerability to achieve the target of denial of service attacks.
Affected versions:
9.0.0.M1 < Apache Tomcat < 9.0.14
8.5.0 < Apache Tomcat < 8.5.37
Non-affected version:
Apache Tomcat 9.0.16
Apache Tomcat 8.5.38
0X01 version check
Usually in the Apache Tomcat official website to download the installation package will contain the name of the current Tomcat version, the current version can be determined by extracting the file after viewing the folder name.
If after the decompression Tomcat directory name has been modified or installed via Windows Service Installer way, you can use the software that comes with version module to get the current version of the Windows system, for example, go to the bin directory tomcat installation directory, enter the command version after (input version.sh Linux system) .bat, view the current software version number.
0X02 Vulnerability Protection
Official fixes the vulnerability in the new version of Apache Tomcat 9.0.16,8.5.38, make the affected users upgrade as soon as possible
Download Link https://archive.apache.org/dist/tomcat
Note: We recommend users before upgrading, make a backup job data and operating environment, to prevent the escalation of risk system is not available.