Re: [SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

Mon, 18 Nov 2024 04:23:39 -0800

Only if you are using Tomcat's HTTP/2 implementation in any of the affected versions is this vulnerability applicable. 

Mark


On 18/11/2024 11:59, Rathore, Rajendra wrote:

Hi Mark/All,

As we are using Apache Http server with Ajp proxy with tomcat. We are also 
using Apache Http server with Http2. Is this vulnerability applicable to such 
configurations or not?

Please provide input for below configuration

1. Apache Http Server + AJP proxy+ tomcat with AJP worked    Vulnerability 
applicable or not?
2. Apache Http server + Tomcat with Http proxy Vulnerability applicable or not?

Thanks and Regards,
Rajendra Rathore
9922701491

-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Monday, November 18, 2024 4:48 PM
To: Tomcat Users List <users@tomcat.apache.org>
Cc: annou...@apache.org; annou...@tomcat.apache.org; Tomcat Developers List 
<d...@tomcat.apache.org>
Subject: [SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response 
mix-up

CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M23 to 11.0.0-M26
Apache Tomcat 10.1.7 to 10.1.30
Apache Tomcat 9.0.92 to 9.0.95

Description:
Incorrect recycling of the request and response used by HTTP/2 requests could 
lead to request and/or response mix-up between users.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0 or later
- Upgrade to Apache Tomcat 10.1.31 or later
- Upgrade to Apache Tomcat 9.0.96 or later

Credit:
This vulnerability identified by the Tomcat security team

History:
2024-11-18 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to