CVE-2024-23672 Overview
CVE-2024-23672 is a Denial of Service vulnerability affecting Apache Tomcat caused by incomplete cleanup of WebSocket connections. This flaw allows WebSocket clients to keep connections open indefinitely, leading to increased resource consumption on the server. The vulnerability stems from improper handling of WebSocket connection lifecycle management, classified under CWE-459 (Incomplete Cleanup).
The vulnerability affects a wide range of Apache Tomcat versions across multiple major release branches, making it a significant concern for organizations running web applications on this popular Java servlet container. Attackers can exploit this weakness to exhaust server resources by maintaining numerous open WebSocket connections, potentially degrading service availability for legitimate users.
Critical Impact
Attackers can exhaust server resources by keeping WebSocket connections open indefinitely, leading to service degradation or complete denial of service for Apache Tomcat-hosted applications.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.0-M16
- Apache Tomcat 10.1.0-M1 through 10.1.18
- Apache Tomcat 9.0.0-M1 through 9.0.85
- Apache Tomcat 8.5.0 through 8.5.98
- Debian Linux 10.0
- Fedora 39 and 40
Discovery Timeline
- March 13, 2024 - CVE-2024-23672 published to NVD
- August 7, 2025 - Last updated in NVD database
Technical Details for CVE-2024-23672
Vulnerability Analysis
This vulnerability exploits a fundamental weakness in Apache Tomcat's WebSocket implementation related to incomplete cleanup of resources. When a WebSocket connection is established, Tomcat allocates server-side resources to manage the bidirectional communication channel. Under normal operation, these resources should be released when the connection is properly closed or times out.
However, due to the incomplete cleanup flaw, malicious clients can manipulate WebSocket connections to remain open beyond their intended lifecycle without triggering proper resource deallocation. This behavior allows attackers to accumulate numerous stale connections, gradually consuming memory, thread pools, and other server resources until the system becomes unresponsive or crashes.
The attack is particularly effective because WebSocket connections are designed for long-lived bidirectional communication, making it difficult to distinguish between legitimate long-running connections and malicious resource-hoarding attempts without proper connection management controls.
Root Cause
The root cause of CVE-2024-23672 lies in Apache Tomcat's WebSocket connection handling logic, which fails to properly clean up resources under certain connection termination scenarios. Specifically, when WebSocket clients do not follow the standard connection close handshake or maintain connections in an abnormal state, the server-side cleanup routines do not execute correctly.
This results in orphaned resources that remain allocated even though the connection is no longer actively transmitting data. The incomplete cleanup mechanism means that connection timeouts and error handling paths do not properly release all associated objects and memory structures, leading to gradual resource accumulation.
Attack Vector
The attack vector for this vulnerability is network-based and requires low privileges to execute. An attacker can exploit CVE-2024-23672 through the following approach:
- Connection Establishment: The attacker initiates multiple WebSocket connections to the target Apache Tomcat server using a WebSocket client or custom script
- Connection Persistence: Instead of properly closing connections, the attacker keeps them in an open state by sending periodic keep-alive frames or simply leaving them idle without triggering normal timeout behavior
- Resource Exhaustion: By repeating this process across many connections, the attacker gradually consumes server resources including memory, file descriptors, and thread pool capacity
- Service Degradation: As resources become exhausted, legitimate users experience slow response times, connection failures, or complete service unavailability
The attack does not require authentication in most configurations since WebSocket endpoints are often publicly accessible. The exploitation can be automated using simple scripts that establish and maintain large numbers of connections.
Detection Methods for CVE-2024-23672
Indicators of Compromise
- Unusually high number of open WebSocket connections from single IP addresses or small IP ranges
- Gradual increase in memory consumption on Tomcat server processes without corresponding application load increases
- Thread pool exhaustion warnings in Tomcat logs related to WebSocket handling
- Increased count of connections in ESTABLISHED or CLOSE_WAIT states on WebSocket ports
Detection Strategies
- Monitor WebSocket connection counts per client IP address and alert on anomalous patterns exceeding normal thresholds
- Implement connection rate limiting and maximum connection tracking at the load balancer or application firewall level
- Configure Tomcat access logs to capture WebSocket connection events and analyze for suspicious patterns
- Deploy network intrusion detection rules to identify clients establishing excessive WebSocket connections
Monitoring Recommendations
- Set up real-time alerts for Tomcat JVM heap memory utilization exceeding defined thresholds
- Monitor thread pool metrics using JMX or monitoring agents to detect exhaustion conditions
- Track active WebSocket session counts through Tomcat Manager or custom monitoring endpoints
- Implement automated log analysis to correlate connection patterns with resource consumption metrics
How to Mitigate CVE-2024-23672
Immediate Actions Required
- Upgrade Apache Tomcat to patched versions: 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99 immediately
- Review current WebSocket connection configurations and implement maximum connection limits per client
- Enable connection timeout settings to automatically terminate idle WebSocket connections
- Apply rate limiting at the network perimeter to restrict WebSocket connection establishment rates
Patch Information
Apache has released security patches that address the incomplete cleanup vulnerability in the WebSocket implementation. Users should upgrade to the following fixed versions based on their Tomcat branch:
| Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| 11.x | 11.0.0-M1 through 11.0.0-M16 | 11.0.0-M17 |
| 10.1.x | 10.1.0-M1 through 10.1.18 | 10.1.19 |
| 9.0.x | 9.0.0-M1 through 9.0.85 | 9.0.86 |
| 8.5.x | 8.5.0 through 8.5.98 | 8.5.99 |
Older, end-of-life versions may also be affected and should be upgraded to supported branches. Refer to the Apache Security Mailing List for the official security advisory. Additional platform-specific guidance is available from Debian LTS Announcement, Fedora Package Announcements, and NetApp Security Advisory.
Workarounds
- Configure WebSocket idle timeout settings in server.xml to automatically close inactive connections
- Implement a reverse proxy with connection limiting capabilities in front of Tomcat servers
- Use application-level connection management to track and terminate long-running WebSocket sessions
- Deploy Web Application Firewall rules to limit WebSocket connection rates from individual clients
<!-- Example Tomcat server.xml WebSocket timeout configuration -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
maxConnections="10000"
acceptCount="100"
maxKeepAliveRequests="100" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
