Vulnerabilities > CVE-2019-10072 - Improper Locking vulnerability in Apache Tomcat

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
apache
CWE-667
nessus

Summary

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Race Conditions via Symbolic Links
    This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

Nessus

  • NASL familyWeb Servers
    NASL idTOMCAT_9_0_20.NASL
    descriptionThe version of Tomcat installed on the remote host is prior to 9.0.20. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.20_security-9 advisory. - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2019-06-25
    plugin id126245
    published2019-06-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126245
    titleApache Tomcat 9.0.0.M1 < 9.0.20 a vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126245);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/22");
    
      script_cve_id("CVE-2019-0199", "CVE-2019-10072");
    
      script_name(english:"Apache Tomcat 9.0.0.M1 < 9.0.20 DoS");
      script_summary(english:"Checks the version of Apache_Tomcat.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Apache Tomcat server is affected by a denial of service vulnerability");
      script_set_attribute(attribute:"description", value:
    "The version of Tomcat installed on the remote host is prior to 9.0.20. It is, therefore, affected by a vulnerability as
    referenced in the fixed_in_apache_tomcat_9.0.20_security-9 advisory.
    
      - The fix for CVE-2019-0199 was incomplete and did not
        address HTTP/2 connection window exhaustion on write. By
        not sending WINDOW_UPDATE messages for the connection
        window (stream 0) clients were able to cause server-side
        threads to block eventually leading to thread exhaustion
        and a DoS. (CVE-2019-10072)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/apache/tomcat/commit/7f748eb");
      script_set_attribute(attribute:"see_also", value:"https://github.com/apache/tomcat/commit/ada725a");
      script_set_attribute(attribute:"see_also", value:"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Tomcat version 9.0.20 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0199");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/25");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
      script_set_attribute(attribute:"agent", value:"all");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
      script_require_keys("installed_sw/Apache Tomcat");
    
    
      exit(0);
    }
    
    include('tomcat_version.inc');
    
    tomcat_check_version(fixed: '9.0.20', min:'9.0.0.M1', severity:SECURITY_WARNING, granularity_regex: "^9(\.0)?$");
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0024_APACHE.NASL
    descriptionAn update of the apache package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128151
    published2019-08-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128151
    titlePhoton OS 3.0: Apache PHSA-2019-3.0-0024
  • NASL familyWeb Servers
    NASL idTOMCAT_8_5_41.NASL
    descriptionThe version of Tomcat installed on the remote host is prior to 8.5.41. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.41_security-8 advisory. - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2019-06-24
    plugin id126125
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126125
    titleApache Tomcat 8.5.0 < 8.5.41 a vulnerability
  • NASL familyDatabases
    NASL idORACLE_RDBMS_CPU_JAN_2020.NASL
    descriptionThe remote Oracle Database Server is missing the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - A denial of service (DoS) vulnerability exists in the Core RDBMS component of Oracle Database Server. An authenticated, remote attacker can exploit this issue, to cause the application to stop responding. (CVE-2020-2511) - A remote code execution vulnerability exists in the Core RDBMS component of Oracle Database Server. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2020-2510) - An unspecified vulnerability exists in the JavaVM component of Oracle Database Server. An authenicated, remote attacker can exploit this issue, to affect the confidentiality, integrity and availability of the application. It is also affected by additional vulnerabilities; see the vendor advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-02
    modified2020-01-17
    plugin id133047
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133047
    titleOracle Database Server Multiple Vulnerabilities (Jan 2020 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3929.NASL
    descriptionUpdated Red Hat JBoss Web Server 5.2.0 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es) : * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) * openssl: 0-byte record padding oracle (CVE-2019-1559) * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072) * tomcat: XSS in SSI printenv (CVE-2019-0221) * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2019-11-22
    plugin id131214
    published2019-11-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131214
    titleRHEL 6 / 7 / 8 : JBoss Web Server (RHSA-2019:3929)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-38.NASL
    descriptionThis update for tomcat to version 9.0.30 fixes the following issues : Security issue fixed : - CVE-2019-12418: Fixed a local privilege escalation through by manipulating the RMI registry and performing a man-in-the-middle attack (bsc#1159723). - CVE-2019-17563: Fixed a session fixation attack when using FORM authentication (bsc#1159729). This update was imported from the SUSE:SLE-15-SP1:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id132913
    published2020-01-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132913
    titleopenSUSE Security Update : tomcat (openSUSE-2020-38)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2094.NASL
    descriptionAccording to the version of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.(CVE-2019-10072) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-09-30
    plugin id129453
    published2019-09-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129453
    titleEulerOS 2.0 SP8 : tomcat (EulerOS-SA-2019-2094)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4680.NASL
    descriptionSeveral vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.
    last seen2020-05-12
    modified2020-05-07
    plugin id136376
    published2020-05-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136376
    titleDebian DSA-4680-1 : tomcat9 - security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4128-1.NASL
    descriptionIt was discovered that the Tomcat 8 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. (CVE-2019-0221) It was discovered that Tomcat 8 did not address HTTP/2 connection window exhaustion on write while addressing CVE-2019-0199. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-10072). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128682
    published2019-09-11
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128682
    titleUbuntu 16.04 LTS / 18.04 LTS : Tomcat vulnerabilities (USN-4128-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4128-2.NASL
    descriptionIt was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. (CVE-2019-0221) It was discovered that Tomcat 9 did not address HTTP/2 connection window exhaustion on write while addressing CVE-2019-0199. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-10072). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129048
    published2019-09-19
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129048
    titleUbuntu 18.04 LTS / 19.04 : Tomcat vulnerabilities (USN-4128-2)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0244_APACHE.NASL
    descriptionAn update of the apache package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id126954
    published2019-07-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126954
    titlePhoton OS 1.0: Apache PHSA-2019-1.0-0244

Redhat

advisories
  • rhsa
    idRHSA-2019:3929
  • rhsa
    idRHSA-2019:3931
rpms
  • jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws
  • jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws
  • jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws
  • jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws
  • jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws
  • jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws
  • jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws
  • jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws
  • jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws
  • jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws
  • jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws
  • jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws
  • jws5-mod_cluster-tomcat-0:1.4.1-1.Final_redhat_00001.2.el6jws
  • jws5-mod_cluster-tomcat-0:1.4.1-1.Final_redhat_00001.2.el7jws
  • jws5-mod_cluster-tomcat-0:1.4.1-1.Final_redhat_00001.2.el8jws
  • jws5-python-javapackages-0:3.4.1-5.15.11.el6jws
  • jws5-python-javapackages-0:3.4.1-5.15.11.el7jws
  • jws5-python-javapackages-0:3.4.1-5.15.11.el8jws
  • jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-admin-webapps-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-admin-webapps-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-admin-webapps-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-docs-webapp-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-docs-webapp-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-docs-webapp-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-el-3.0-api-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-el-3.0-api-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-el-3.0-api-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-javadoc-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-javadoc-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-javadoc-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-lib-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-lib-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-lib-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws
  • jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws
  • jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws
  • jws5-tomcat-native-debuginfo-0:1.2.21-34.redhat_34.el6jws
  • jws5-tomcat-native-debuginfo-0:1.2.21-34.redhat_34.el7jws
  • jws5-tomcat-native-debuginfo-0:1.2.21-34.redhat_34.el8jws
  • jws5-tomcat-selinux-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-selinux-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-selinux-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws
  • jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws
  • jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws
  • jws5-tomcat-vault-javadoc-0:1.1.8-1.Final_redhat_1.1.el6jws
  • jws5-tomcat-vault-javadoc-0:1.1.8-1.Final_redhat_1.1.el7jws
  • jws5-tomcat-vault-javadoc-0:1.1.8-1.Final_redhat_1.1.el8jws
  • jws5-tomcat-webapps-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-webapps-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-webapps-0:9.0.21-10.redhat_4.1.el8jws