CVE-2024-34750: Apache Tomcat Vulnerability Leaves Servers Open to Attack
The Apache Software Foundation has issued a security advisory warning users of a denial-of-service (DoS) vulnerability in its widely used Tomcat web server software. With a severity rating classified as ‘Important‘, the flaw, tracked as CVE-2024-34750, could allow malicious actors to cripple Tomcat servers, disrupting websites, applications, and other online services.
The vulnerability stems from how Tomcat handles HTTP/2 streams, a modern protocol designed to improve website performance. Under specific conditions, an attacker can craft malicious requests with an excessive number of HTTP headers. This overwhelms Tomcat, leading to an incorrect calculation of active streams and a failure to close connections that should have been terminated. The result? A server stuck in an infinite timeout, effectively shutting down normal operations.
This vulnerability was discovered and responsibly reported to the Tomcat security team by security researcher “devme4f” from VNPT-VCI, a prominent Vietnamese internet service provider.
The CVE-2024-34750 vulnerability affects a wide range of Tomcat versions, including:
- Apache Tomcat 11.0.0-M1 to 11.0.0-M20
- Apache Tomcat 10.1.0-M1 to 10.1.24
- Apache Tomcat 9.0.0-M1 to 9.0.89
Given Tomcat’s immense popularity as a web server and servlet container, this vulnerability poses a significant risk to countless websites and applications worldwide. Any organization or individual running a vulnerable version of Tomcat is urged to take immediate action.
Fortunately, the Apache Software Foundation has released patches to address the issue. Users are strongly advised to upgrade to one of the following versions:
- Apache Tomcat 11.0.0-M21 or later
- Apache Tomcat 10.1.25 or later
- Apache Tomcat 9.0.90 or later
