DoS (Denial of Service) Vulnerability Found in Apache Tomcat

Apache Tomcat is the most widely used Java servlet in the world (A Java servlet is a software component written in the Java programming language that allows interaction with web servers (such as Apache Tomcat). Servlets are dynamic web applications used to generate content, such as receiving user requests, processing, and returning an appropriate response.) is one of the containers and is widely used to host and manage various web applications and services. A new security vulnerability discovered in 2024 has been identified as CVE-2024-38286 – a denial of service (DoS) vulnerability. This vulnerability is related to improper management of memory and computing resources in some versions of Tomcat and can be used by hackers to crash the system.
Vulnerability Details

• Vulnerability ID: CVE-2024-38286.
• Vulnerability Type: Denial of Service (DoS).
• Affected software: Apache Tomcat 10.1.10 and earlier.
• Impact scale: The impact can be significant because Tomcat is used by large organizations, web hosting providers, and many web applications.

CVE-2024-38286 allows an attacker to send excessive requests to a resource, disrupting the normal operation of the Tomcat service. This vulnerability affects Apache Tomcat’s HTTP/2 protocol and manifests itself in sending a large number of invalid HTTP/2 requests.

The main stages of exploitation of the vulnerability are:

1. HTTP/2 traffic manipulation. Tomcat may improperly handle HTTP/2 traffic, resulting in excessive use of system resources by invalid requests.
2. System flooding: A large number of malicious requests sent by hackers will quickly fill up the server’s computing resources.
3. Service restriction: Resources are fully occupied and the service cannot respond to normal users. This results in a denial of service (DoS) attack.

The vulnerability is based on improper memory and request handling in Apache Tomcat’s HTTP/2 request handling mechanisms. More specifically, this request management error can be caused by malformed requests in certain situations.

A successful attack through this vulnerability can cause the server to crash. The following effects can be observed:

• Service interruption: Due to system overload, the service will stop working for users.
• Resource exhaustion: Since all the system’s computing resources are full, new requests are not processed and the system becomes unresponsive.
• Increased load on backup systems. Even if backup systems are available, they can also be affected if the attack scales high.

Protecting against vulnerabilities
To use Tomcat safely, it is recommended to take the following actions:

• Software update: Apache Tomcat should be updated to 10.1.10 and later, as this vulnerability is fixed in newer versions.
• Temporarily disable HTTP/2 support. If HTTP/2 is enabled in Apache Tomcat and is optional, the vulnerability can be mitigated by disabling HTTP/2.
• Firewall and DDoS protection: Additional security measures, such as DDoS protection, can be applied to the server environment.
• Rate-limited requests: By setting a limit (rate limit) on requests, excessive and incorrect requests can be prevented.

CVE-2024-38286 is a denial of service vulnerability in Apache Tomcat that is particularly vulnerable to servers running on the HTTP/2 protocol. It is important for system administrators and security personnel to be aware of this vulnerability, update Tomcat to the latest version, and take additional security measures.

For more information:

• Official Apache Tomcat Security Advisory
• CVE-2024-38286 NVD Database