Today Netflix has published a report highlighting various potential DoS attacks against HTTP/2 implementations [1].
No immediate action is required for Tomcat users since none of the described attacks result in a DoS with Apache Tomcat. The Tomcat Security Team has reviewed the impact on Tomcat of each of these attacks. The load generated by the attacks is comparable to the load generated by a similar amount of valid client traffic. Therefore, these requests are not viewed as a DoS by the Tomcat Security Team. We did look a little harder at the CVE-2019-9513 "Resource Loop" attack as came closest to exceeding the load generated by valid traffic. While we do not consider the described attacks to represent a DoS for Apache Tomcat, they do all represent abusive client behaviour. In response to these reports we will be expanding the overhead protection already in place to detect these abusive behaviours and to close the connection when they are detected. The expanded overhead detection will be configurable, including the option to disable it. The configuration will be provided with what we consider to be reasonable defaults although there is the possibility that these defaults will be adjusted based on user feedback in future versions. This additional protection will be in the next releases of 9.0.x and 8.5.x, currently expected to be 9.0.23 and 8.5.44. The release process for these versions is expected to start later today. Mark on behalf of the Tomcat Security Team [1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
