On 01/08/2019 19:49, Justiniano, Tony wrote: > Forwarding from an initial email this morning. > > _______________________________________________________ > > Good Morning, > > I have been referred to this team in an attempt to have some questions > answered. Before I ask those question let me provide a little background on > how I got to this point. > > Vulnerability scans showed that two of my servers in the DMZ came back with > CVE-2019-10072 vulnerability. The CVE information is below: > > The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 > connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to > 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the > connection window (stream 0) clients were able to cause server-side threads > to block eventually leading to thread exhaustion and a DoS. > (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072>) > > The question I have is based on the server.xml configuring the connector and > protocols used. Below are both of my servers server.xml connector entries: > Server6: <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > > Server5: <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > > What I have highlighted are the protocols that are used for those specific > connectors on the servers. > > So, my question is in your professional opinions, if I'm not calling the > http2 protocol in any connector, my servers shouldn't be susceptible to the > particular CVE's vulnerability assessment. > > Please let me know if this question can be answered.
If you don't have <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> nested in a Connector anywhere in your server.xml that you can't possibly be vulnerable to HTTP/2 related vulnerabilities. Looks like it is time to start shopping for a new vulnerability scanner. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org