Published:2024/10/01  Last Updated:2024/10/01

JVN#72148744
Apache Tomcat improper handling of TLS handshake process data

Overview

Apache Tomcat provided by The Apache Software Foundation improperly handles TLS handshake process data, which may lead to a denial-of-service (DoS) condition.

Products Affected

  • Apache Tomcat versions from 11.0.0-M1 to 11.0.0-M20
  • Apache Tomcat versions from 10.1.0-M1 to 10.1.24
  • Apache Tomcat versions from 9.0.13 to 9.0.89

Description

Apache Tomcat provided by The Apache Software Foundation improperly handles TLS handshake process data, which may lead to a denial-of-service (DoS) condition (CWE-770, CVE-2024-38286).

Impact

Denial-of-service (DoS) attacks may be conducted through TLS connection.

Solution

Update the software
Update Apache Tomcat to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

  • Apache Tomcat 11.0.0-M21
  • Apache Tomcat 10.1.25
  • Apache Tomcat 9.0.90

Vendor Status

Vendor Status Last Update Vendor Notes
Fujitsu Limited Not Vulnerable, investigating 2024/10/01
Hitachi Vulnerability Information Provided 2024/10/01
NEC Corporation Not Vulnerable, investigating 2024/10/01
North Grid Corporation Vulnerable 2024/10/01 North Grid Corporation website
OMRON Corporation Vulnerability Information Provided 2024/10/01
RICOH COMPANY, LTD. Vulnerability Information Provided 2024/10/01
Smart Solution Technology, Inc. Not Vulnerable, investigating 2024/10/01
Takara medical Co., Ltd. Vulnerability Information Provided 2024/10/01

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score: 7.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

The reporter, Ozaki of North Grid Corporation, reported this issue directly to and coordinated with the developer.
After the coordination, the reporter also reported the case to IPA, and JPCERT/CC coordinated with the developer to publish the advisory on JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2024-000108

Update History

2024/10/01
Fujitsu Limited update status