Potential Risk of CVE

Apache Releases Security Advisory for Apache Tomcat (26th Jun 2020)

Leave a comment

Preface: As of June 2020, Apache is used by 37.7% of all the websites.

Versions Affected:
Apache Tomcat 10.0.0 – M1 to 10.0.0 – M5
Apache Tomcat 9.0.0. M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Impact: An attacker could exploit this vulnerability to cause a denial-of-service condition.

Background: HTTP/2 uses header compression which requires a strict commitment of resources compared to HTTP/1.1. The attack vectors for the vulnerabilities discovered in HTTP/2 follow a certain pattern. The main goal is to setup a queue of responses to exhaust the resources on a server.

Official announcement: The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2019-10072 – http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.