Fixed in Apache Tomcat 9.0.16

Note: The issue below was fixed in Apache Tomcat 9.0.15 but the release vote for the 9.0.15 release candidate did not pass. Therefore, although users must download 9.0.16 to obtain a version that includes a fix for these issues, version 9.0.15 is not included in the list of affected versions.

Important: Denial of Service CVE-2019-0199

The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

This was fixed in revisions 1852698, 1852699, 1852700, 1852701, 1852702, 1852703, 1852704, 1852705, 1852706 and a1cb1ac7.

This issue was reported to the Apache Tomcat Security Team by Michal Karm Babacek from Red Hat, Inc on 4 January 2019 with additional issues identified by the Tomcat Security Team. The issue was made public on 25 March 2019.

Affects: 9.0.0.M1 to 9.0.14