The version of Tomcat installed on the remote host is prior to 9.0.16. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.16_security-9 advisory.
- The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)
Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application’s self-reported version number.