Apache Tomcat < 11.0.0-M17 — DoS
Apache Tomcat has a denial of service vulnerability in HTTP/2 request header processing. Update to Tomcat 11.0.0-M17 / 10.1.19 / 9.0.86 — Tomcat powers a large share of Java enterprise applications.
An unauthenticated attacker can send HTTP/2 requests with oversized headers to cause sustained denial of service against Apache Tomcat. In environments where Tomcat is internet-facing, this can disrupt web application availability.
When processing HTTP/2 requests, Apache Tomcat does not properly handle the case where the request header section is too large, allowing an attacker to trigger excessive memory allocation that may cause the JVM to run out of memory or cause degraded performance.
Probably yes if any of these apply:
Affected OS versions
A Java application server running Tomcat 10.x is targeted by automated DoS traffic sending HTTP/2 requests with very large header values. The server's memory exhausts rapidly, causing 503 errors for legitimate users. Upgrading to 10.1.19 resolves the issue.
Manual remediation steps
⏱ 30 minutes including service restartCheck Tomcat Version
# From Tomcat installation directory:
.\bin\version.bat
# Or check the JAR manifest:
$tomcatJar = Get-ChildItem "C:\tomcat\lib" -Filter "catalina*.jar" | Select-Object -First 1
if ($tomcatJar) {
Add-Type -Assembly System.IO.Compression.FileSystem
$zip = [IO.Compression.ZipFile]::OpenRead($tomcatJar.FullName)
$manifest = $zip.Entries | Where-Object { $_.Name -eq "MANIFEST.MF" }
$reader = [IO.StreamReader]::new($manifest.Open())
$reader.ReadToEnd()
$zip.Dispose()
}
Download and Update Tomcat
Stop-Service Tomcat10 -ErrorAction SilentlyContinue
# Or:
.\bin\shutdown.bat
Start-Service Tomcat10
# Or:
.\bin\startup.bat
Verify
.\bin\version.bat
# Must show 10.1.19 or later
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References