8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Issue Overview:
2024-04-01: CVE-2019-0232 was removed from this advisory.
When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to ‘/foo/’ when the user requested ‘/foo’) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)
The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)
Affected Packages:
tomcat8
Issue Correction:
Run yum update tomcat8 to update your system.
New Packages:
noarch:
tomcat8-8.5.40-1.79.amzn1.noarch
tomcat8-docs-webapp-8.5.40-1.79.amzn1.noarch
tomcat8-el-3.0-api-8.5.40-1.79.amzn1.noarch
tomcat8-admin-webapps-8.5.40-1.79.amzn1.noarch
tomcat8-jsp-2.3-api-8.5.40-1.79.amzn1.noarch
tomcat8-log4j-8.5.40-1.79.amzn1.noarch
tomcat8-servlet-3.1-api-8.5.40-1.79.amzn1.noarch
tomcat8-webapps-8.5.40-1.79.amzn1.noarch
tomcat8-lib-8.5.40-1.79.amzn1.noarch
tomcat8-javadoc-8.5.40-1.79.amzn1.noarch
src:
tomcat8-8.5.40-1.79.amzn1.src
Red Hat: CVE-2018-11784, CVE-2019-0199
Mitre: CVE-2018-11784, CVE-2019-0199
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%