CVE-2024-34750
📋 TL;DR
This vulnerability in Apache Tomcat allows attackers to cause uncontrolled resource consumption through HTTP/2 connections. By sending excessive HTTP headers, attackers can force Tomcat to keep connections open indefinitely, potentially leading to denial of service. This affects Tomcat versions 9.0.0-M1 through 9.0.89, 10.1.0-M1 through 10.1.24, and 11.0.0-M1 through 11.0.0-M20.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where all available connections are exhausted, making the Tomcat server unavailable to legitimate users.
Likely Case
Degraded performance and eventual service unavailability as connection pool is exhausted over time.
If Mitigated
Limited impact with proper connection limits and monitoring in place, but still vulnerable to targeted attacks.
🎯 Exploit Status
Exploitation requires sending malformed HTTP/2 requests with excessive headers, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.0-M21, 10.1.25, or 9.0.90
Vendor Advisory: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
Restart Required: Yes
Instructions:
1. Download the patched version from Apache Tomcat website. 2. Stop the Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service.
🔧 Temporary Workarounds
Disable HTTP/2
allDisable HTTP/2 protocol support to prevent exploitation via vulnerable HTTP/2 streams
Edit server.xml and remove or comment out HTTP/2 connector configurations
Limit HTTP Header Size
allConfigure maximum HTTP header size to reduce impact of excessive headers
Set maxHttpHeaderSize parameter in connector configuration in server.xml
🧯 If You Can't Patch
- Implement network-level controls to limit HTTP/2 traffic to trusted sources only
- Deploy rate limiting and connection throttling at load balancer or WAF level
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and verify it falls within affected ranges. Also check if HTTP/2 is enabled in server.xml configuration.Check Version:
java -cp "$CATALINA_HOME/lib/catalina.jar" org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is 9.0.90+, 10.1.25+, or 11.0.0-M21+. Test HTTP/2 connections remain stable under normal header loads.📡 Detection & Monitoring
Log Indicators:
- Unusually high number of open HTTP/2 connections
- Connection timeout errors
- Increased memory usage patterns
Network Indicators:
- Excessive HTTP/2 traffic with large headers
- Sustained connections from single sources
SIEM Query:
source="tomcat" AND ("HTTP/2" OR "h2") AND (connection_count > threshold OR memory_usage > threshold)