|Description||In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
|Debian Bugs||802312, 860070|
Vulnerable and fixed packages
The table below lists information on source packages.
|tomcat8 (PTS)||jessie (security), jessie||8.0.14-1+deb8u11||fixed|
|stretch (security), stretch||8.5.14-1+deb9u2||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[jessie] - tomcat8 <not-affected> (Only affects 8.5 and later)
Fixed by: http://svn.apache.org/r1788480 (8.5.x)