Apache Tomcat HTTP/2 Flaw: High-Severity DoS Vulnerability (CVE-2024-34750) Exposes Servers

A critical vulnerability in Apache Tomcat's HTTP/2 implementation can be exploited to launch denial-of-service (DoS) attacks, leaving servers unresponsive. The flaw, tracked as CVE-2024-34750 and rated HIGH severity with a CVSS v3.1 score of 7.5, stems from improper handling of exceptional conditions. When processing an HTTP/2 stream with excessive headers, Tomcat miscounts active streams, leading to the application of an incorrect infinite timeout. This allows malicious connections that should be terminated to remain open indefinitely, consuming server resources.

The vulnerability specifically impacts a wide range of Tomcat versions, including all releases from 11.0.0-M1 through 11.0.0-M20 and from 10.1.0-M1 through 10.1.24. The core issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-755 (Improper Handling of Exceptional Conditions). The flaw resides in the `org.apache.tomcat.embed:tomcat-embed-core` package, version 10.1.20, as identified in a Maven project configuration file (`pom.xml`).

This vulnerability presents a significant operational risk for any service running the affected Tomcat versions. Attackers can exploit it without authentication over the network, potentially degrading or crippling application availability. The discovery, also aliased as BIT-tomcat-2024-34750, necessitates immediate scrutiny by development and infrastructure teams to assess exposure and apply the necessary patches or version upgrades to mitigate the DoS threat.