Candidate: CVE-2019-0199
PublicDate: 2019-04-10 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199
Description:
 The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to
 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also
 permitted clients to keep streams open without reading/writing
 request/response data. By keeping streams open for requests that utilised
 the Servlet API's blocking I/O, clients were able to cause server-side
 threads to block eventually leading to thread exhaustion and a DoS.
Ubuntu-Description:
Notes:
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_tomcat9:
upstream_tomcat9: released (9.0.16-1)
precise/esm_tomcat9: DNE
trusty_tomcat9: DNE
trusty/esm_tomcat9: DNE
xenial_tomcat9: DNE
bionic_tomcat9: not-affected (9.0.16-3~18.04.1)
cosmic_tomcat9: not-affected (9.0.16-3~18.10)
devel_tomcat9: not-affected (9.0.16-3)

Patches_tomcat8:
upstream_tomcat8: released (8.5.38-1)
precise/esm_tomcat8: DNE
trusty_tomcat8: DNE
trusty/esm_tomcat8: DNE
xenial_tomcat8: not-affected (code not present)
esm-infra/xenial_tomcat8: not-affected (code not present)
bionic_tomcat8: released (8.5.39-1ubuntu1~18.04.1)
cosmic_tomcat8: released (8.5.39-1ubuntu1~18.10)
devel_tomcat8: DNE