CVE-2024-34750
Published: 03 July 2024
Summary
CVE-2024-34750 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-34750 is an uncontrolled resource consumption vulnerability in Apache Tomcat stemming from improper handling of exceptional conditions during HTTP/2 stream processing. Affected versions fail to correctly manage cases involving excessive HTTP headers, resulting in miscounting of active streams and application of an infinite timeout that leaves connections open when they should be terminated. The issue impacts Tomcat releases 11.0.0-M1 through 11.0.0-M20, 10.1.0-M1 through 10.1.24, and 9.0.0-M1 through 9.0.89, as well as earlier end-of-life branches including 8.5.0 through 8.5.100.
Remote attackers without authentication can exploit the flaw by sending crafted HTTP/2 requests containing large numbers of headers. Successful exploitation produces a denial-of-service condition by exhausting server resources through persistent open connections, consistent with the CVSS 7.5 rating that emphasizes high availability impact over confidentiality or integrity.
Apache Tomcat project advisories direct users to upgrade immediately to the patched releases 11.0.0-M21, 10.1.25, or 9.0.90. Corresponding notices from distributors such as Debian and NetApp reiterate the same remediation steps and reference the original Apache announcement for further details.
EPSS scores have remained essentially flat near 0.22 with no material post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2438
Vulnerability details
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn…
more
led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
MTTF monitoring plus ready substitutes directly mitigate sustained resource exhaustion by allowing component swap before or at failure.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.
By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.