Apache Tomcat HTTP/2¾Ü¾øЧÀÍÎó²îÇ徲ͨ¸æ

Ðû²¼Ê±¼ä 2019-03-26

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºcve-2019-0199£¬£¬ £¬ £¬ £¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬ £¬ £¬ £¬£¬CVSS·ÖÖµ£º³§ÉÌ×ÔÆÀ7.5£¬£¬ £¬ £¬ £¬£¬¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Apache Tomcat 9.0.0.M1 ÖÁ 9.0.14

Apache Tomcat 8.5.0 ÖÁ 8.5.37


Îó²î¸ÅÊö


Apache Tomcat¹Ù·½Åû¶ÁË¡ª¸öHTTP/2µÄDoSÎó²î£¬£¬ £¬ £¬ £¬£¬¸ÃÎó²îϵHTTP/2ÔÚÎüÊÕ¹ýÁ¿SETTINGS FrameÁ÷Êý¾ÝʱÔÊÐí¿Í»§¶ËÔÚ²»¶Á£¯Ð´ÇëÇó£¯ÏìÓ¦Êý¾ÝµÄÇéÐÎÏÂÈÔÈ»¼á³ÖÁ÷·­¿ª×´Ì¬£¬£¬ £¬ £¬ £¬£¬¹¥»÷Õß¿ÉÒÔʹÓøÃÎó²î´Ó¿Í»§¶ËÌᳫ´ó×ÚµÄopen streamÇëÇó´Ó¶øÛÕ±ÕЧÀÍÆ÷¶ËµÄỊ̈߳¬£¬ £¬ £¬ £¬£¬ÒýÆðЧÀÍÆ÷¶ËÏß³Ì×ÊÔ´ºÄ¾¡´Ó¶øµ¼ÖÂЧÀͲ»¿ÉÓᣡ£¡£¡£¡£


Îó²îÑéÖ¤


ÔÝÎÞPOC¡¢EXP

Éó²éApache Tomcat¶ÔÓ¦µÄ°æ±¾ºÅÊÇ·ñÔÚÊÜÓ°Ïì°æ±¾¹æÄ£ÄÚ¡£¡£¡£¡£¡£


ÐÞ¸´½¨Òé


ÏÖÔÚÎó²îϸ½ÚÒѾ­Åû¶£¬£¬ £¬ £¬ £¬£¬¹Ù·½Ò²ÔÚApache Tomcat 9.0.16¡¢Apache Tomcat8.5.38¼°ÒÔºó°æ±¾ÐÞ¸´ÖÐÓèÒÔÐÞ¸´¡£¡£¡£¡£¡£
http://tomcat.apache.org/security-9.html

http://tomcat.apache.org/security-8.html


²Î¿¼Á´½Ó


https://www.mail-archive.com/dev@tomcat.apache.org/msg132386.html