CVE-2024-38286
📋 TL;DR
This vulnerability in Apache Tomcat allows attackers to cause denial of service by exploiting the TLS handshake process to trigger OutOfMemoryError conditions. It affects Tomcat versions 11.0.0-M1 through 11.0.0-M20, 10.1.0-M1 through 10.1.24, 9.0.13 through 9.0.89, and certain EOL versions. Systems with TLS-enabled connectors are vulnerable when configured in specific ways.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially requiring server restart and causing extended downtime.
Likely Case
Intermittent service degradation or crashes affecting application availability.
If Mitigated
Minimal impact with proper resource limits and monitoring in place.
🎯 Exploit Status
Exploitation requires TLS access but no authentication; details are in security advisories but no public exploit code is confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.0-M21, 10.1.25, or 9.0.90
Vendor Advisory: https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s
Restart Required: Yes
Instructions:
1. Download patched version from Apache Tomcat website. 2. Stop Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service. 7. Verify version and functionality.
🔧 Temporary Workarounds
Disable vulnerable TLS configurations
allModify TLS connector settings to avoid the vulnerable configuration pattern
Edit server.xml to review and adjust TLS connector settings
Implement connection rate limiting
linuxUse network-level controls to limit TLS handshake attempts
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Tomcat TLS ports
- Deploy memory monitoring and alerting for OutOfMemoryError conditions
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and review TLS connector configurations in server.xmlCheck Version:
java -cp catalina.jar org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version shows 11.0.0-M21, 10.1.25, 9.0.90 or higher📡 Detection & Monitoring
Log Indicators:
- java.lang.OutOfMemoryError in catalina.out or logs
- Abnormal TLS handshake patterns
- High memory usage alerts
Network Indicators:
- Unusual volume of TLS handshake attempts
- Multiple incomplete TLS connections
SIEM Query:
source="tomcat.logs" AND "OutOfMemoryError" OR "TLS handshake" AND error