CVE-2024-38286: Denial-of-Service Vulnerability Discovered in Apache Tomcat
The Apache Software Foundation has issued a security advisory for a newly discovered vulnerability in Apache Tomcat that could allow attackers to execute a denial-of-service (DoS) attack. Identified as CVE-2024-38286, this vulnerability is rated as Important and affects several versions of Apache Tomcat across all platforms.
The vulnerability arises from the way Tomcat handles the TLS handshake process under certain configurations. An attacker can exploit this flaw to cause an OutOfMemoryError, effectively crashing the server and disrupting any services relying on it. A successful exploitation of this vulnerability can result in:
- Service Disruption: Critical applications and services running on Tomcat could become unavailable.
- Resource Exhaustion: The server may become unresponsive due to depleted memory resources.
- Operational Downtime: Organizations may face significant downtime, affecting business operations and user accessibility.
The following versions of Apache Tomcat are impacted:
- Apache Tomcat 11.0.0-M1 to 11.0.0-M20
- Apache Tomcat 10.1.0-M1 to 10.1.24
- Apache Tomcat 9.0.13 to 9.0.89
The Apache Software Foundation strongly recommends that all users of the affected versions take immediate action by upgrading to the latest secure versions:
- For Apache Tomcat 11: Upgrade to 11.0.0-M21 or later.
- For Apache Tomcat 10.1: Upgrade to 10.1.25 or later.
- For Apache Tomcat 9.0: Upgrade to 9.0.90 or later.
