Forwarding from an initial email this morning. _______________________________________________________
Good Morning, I have been referred to this team in an attempt to have some questions answered. Before I ask those question let me provide a little background on how I got to this point. Vulnerability scans showed that two of my servers in the DMZ came back with CVE-2019-10072 vulnerability. The CVE information is below: The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072>) The question I have is based on the server.xml configuring the connector and protocols used. Below are both of my servers server.xml connector entries: Server6: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" Server5: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" What I have highlighted are the protocols that are used for those specific connectors on the servers. So, my question is in your professional opinions, if I'm not calling the http2 protocol in any connector, my servers shouldn't be susceptible to the particular CVE's vulnerability assessment. Please let me know if this question can be answered. Thanks!! Tony Justiniano Engineer I, EUS Engineering This email message (including all attachments) is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information, or may otherwise be protected by work product or other legal rules. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Unless otherwise indicated in the body of this email, nothing in this communication is intended to operate as an electronic signature and this transmission cannot be used to form, document, or authenticate a contract. Wyndham Destinations, Inc., and/or its affiliates may monitor all incoming and outgoing email communications, including the content of emails and attachments, for security, legal compliance, training, quality assurance and other purposes. The sender believes that this email and any attachments were free of any virus, worm, Trojan horse, malicious code and/or other contaminants when sent. Email transmissions cannot be guaranteed to be secure or error-free, so this message and its attachments could have been infected, corrupted or made incomplete during transmission. By reading the message and opening any attachments, the recipient accepts full responsibility for any viruses or other defects that may arise, and for taking remedial action relating to such viruses and other defects. Neither Wyndham Destinations, Inc., nor any of its affiliated entities is liable for any loss or damage arising in any way from, or for errors or omissions in the contents of, this message or its attachments.