Fwd: [thredds] [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service

Skip to first unread message

Roy Mendelssohn - NOAA Federal

Mar 13, 2024, 2:41:55 PMMar 13
to 'Chris John - NOAA Affiliate' via ERDDAP
Hi All:

Please see below courtesy of UCAR.  Please consider updating your tomcats in order to keep your ERDDAP instance as secure as possible.



Begin forwarded message:

From: Jennifer Oxelson Ganter <oxe...@ucar.edu>
Subject: [thredds] Fwd: [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service
Date: March 13, 2024 at 9:18:45 AM PDT
To: THREDDS community <thr...@unidata.ucar.edu>

Hello all,

Two new high-level CVEs were just issued for Tomcat (CVE-2024-24549 & CVE-2024-23672).  Please make sure you are running the latest version. 

---------- Forwarded message ---------
From: Mark Thomas <ma...@apache.org>
Date: Wed, Mar 13, 2024 at 9:46 AM
Subject: [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service
To: us...@tomcat.apache.org <us...@tomcat.apache.org>
Cc: <anno...@apache.org>, anno...@tomcat.apache.org <anno...@tomcat.apache.org>, Tomcat Developers List <d...@tomcat.apache.org>

CVE-2024-24549 Apache Tomcat - Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M16
Apache Tomcat 10.1.0-M1 to 10.1.18
Apache Tomcat 9.0.0-M1 to 9.0.85
Apache Tomcat 8.5.0 to 8.5.98

When processing an HTTP/2 request, if the request exceeded any of the
configured limits for headers, the associated HTTP/2 stream was not
reset until after all of the headers had been processed.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 11.0.0-M17 or later
- Upgrade to Apache Tomcat 10.1.19 or later
- Upgrade to Apache Tomcat 9.0.86 or later
- Upgrade to Apache Tomcat 8.5.99 or later

This vulnerability was reported responsibly to the Tomcat security team
by Bartek Nowotarski (https://nowotarski.info/).

2024-03-13 Original advisory

[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

Jennifer Oxelson Ganter                                       NSF Unidata
Software Engineer IV                                          P.O. Box 3000 
oxe...@ucar.edu                                       Boulder, CO 80307

NOTE: All exchanges posted to Unidata maintained email lists are
recorded in the Unidata inquiry tracking system and made publicly
available through the web.  Users who post to any of the lists we
maintain are reminded to remove any personal information that they
do not want to be made public.

thredds mailing list
For list information or to unsubscribe,  visit: https://www.unidata.ucar.edu/mailing_lists/

"The contents of this message do not reflect any position of the U.S. Government or NOAA."
Roy Mendelssohn
Supervisory Operations Research Analyst
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://www.pfeg.noaa.gov/

"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected" 
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.

Reply all
Reply to author
0 new messages