CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Classification

CVE ID: CVE-2024-23672

Affected Products

Vendor: Apache Software Foundation

Product: Apache Tomcat

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.91% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
https://security.netapp.com/advisory/ntap-20240402-0002/
https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
http://www.openwall.com/lists/oss-security/2024/03/13/4
https://lists.fedoraproject.org/archives/list/[email protected]/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
https://lists.fedoraproject.org/archives/list/[email protected]/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/

Timeline

2025-02-14 00:31:37 UTC
CVE

Apache Tomcat: WebSocket DoS with incomplete closing handshake