JVN#72148744
Apache Tomcat improper handling of TLS handshake process data
Overview
Apache Tomcat provided by The Apache Software Foundation improperly handles TLS handshake process data, which may lead to a denial-of-service (DoS) condition.
Products Affected
- Apache Tomcat versions from 11.0.0-M1 to 11.0.0-M20
- Apache Tomcat versions from 10.1.0-M1 to 10.1.24
- Apache Tomcat versions from 9.0.13 to 9.0.89
Description
Apache Tomcat provided by The Apache Software Foundation improperly handles TLS handshake process data, which may lead to a denial-of-service (DoS) condition (CWE-770, CVE-2024-38286).
Impact
Denial-of-service (DoS) attacks may be conducted through TLS connection.
Solution
Update the software
Update Apache Tomcat to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.
- Apache Tomcat 11.0.0-M21
- Apache Tomcat 10.1.25
- Apache Tomcat 9.0.90
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Fujitsu Limited | Not Vulnerable, investigating | 2024/10/01 | |
| Hitachi | Vulnerability Information Provided | 2024/10/01 | |
| NEC Corporation | Not Vulnerable, investigating | 2024/10/01 | |
| North Grid Corporation | Vulnerable | 2024/10/01 | North Grid Corporation website |
| OMRON Corporation | Vulnerability Information Provided | 2024/10/01 | |
| RICOH COMPANY, LTD. | Vulnerability Information Provided | 2024/10/01 | |
| Smart Solution Technology, Inc. | Not Vulnerable, investigating | 2024/10/01 | |
| Takara medical Co., Ltd. | Vulnerability Information Provided | 2024/10/01 |
| Vendor | Link |
| The Apache Software Foundation | [SECURITY] CVE-2024-38286 Apache Tomcat - Denial of Service |
| Fixed in Apache Tomcat 11.0.0-M21 | |
| Fixed in Apache Tomcat 10.1.25 | |
| Fixed in Apache Tomcat 9.0.90 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
The reporter, Ozaki of North Grid Corporation, reported this issue directly to and coordinated with the developer.
After the coordination, the reporter also reported the case to IPA, and JPCERT/CC coordinated with the developer to publish the advisory on JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2024-000108 |
Update History
- 2024/10/01
- Fujitsu Limited update status