CVE-2024-24549 Overview
CVE-2024-24549 is a Denial of Service vulnerability caused by improper input validation in Apache Tomcat's HTTP/2 request processing. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. This flaw allows remote attackers to exhaust server resources by sending maliciously crafted HTTP/2 requests with excessive headers, potentially causing service disruption for legitimate users.
Critical Impact
Remote attackers can exploit this vulnerability to cause Denial of Service conditions on Apache Tomcat servers by sending HTTP/2 requests that exceed header limits, consuming server resources until all headers are processed before the stream is reset.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.0-M16
- Apache Tomcat 10.1.0-M1 through 10.1.18
- Apache Tomcat 9.0.0-M1 through 9.0.85
- Apache Tomcat 8.5.0 through 8.5.98
- Debian Linux 10.0
- Fedora 39 and 40
Discovery Timeline
- 2024-03-13 - CVE-2024-24549 published to NVD
- 2025-10-29 - Last updated in NVD database
Technical Details for CVE-2024-24549
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in Apache Tomcat's HTTP/2 protocol handler. The core issue lies in how Tomcat processes HTTP/2 requests that exceed configured header limits. Under normal operation, when a request violates configured constraints, the server should immediately reject the request and reset the associated stream to conserve resources. However, in vulnerable versions, Tomcat continues to process all incoming headers before triggering the stream reset mechanism.
HTTP/2's multiplexing capabilities allow multiple streams to share a single TCP connection, making this vulnerability particularly impactful. An attacker can open numerous HTTP/2 streams and send requests with oversized headers on each stream simultaneously. Since the server processes all headers before resetting each stream, server resources become tied up handling malicious requests, degrading performance for legitimate traffic or causing complete service unavailability.
The vulnerability affects a wide range of Apache Tomcat versions across all major release branches (8.5.x, 9.0.x, 10.1.x, and 11.0.x milestone releases), indicating that the flaw was present in core HTTP/2 handling code shared across these versions.
Root Cause
The root cause is an improper input validation flaw in Apache Tomcat's HTTP/2 implementation. When handling incoming HTTP/2 requests, the server checks whether configured header limits are exceeded but delays the stream reset action until after all headers have been fully parsed and processed. This creates a window where server resources remain allocated for processing oversized requests that will ultimately be rejected, enabling resource exhaustion attacks.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can target any Apache Tomcat server with HTTP/2 enabled by:
- Establishing an HTTP/2 connection to the target server
- Opening multiple HTTP/2 streams within the connection
- Sending requests with headers that exceed the server's configured limits (e.g., maximum header count, maximum header size)
- The server continues processing all headers on each stream before resetting
- Repeating this process exhausts server memory and processing capacity, causing denial of service
The attack leverages HTTP/2's multiplexing to amplify the impact, as numerous streams can be abused simultaneously over a single connection.
Detection Methods for CVE-2024-24549
Indicators of Compromise
- Unusual spikes in HTTP/2 connection and stream creation rates from single sources
- Increased memory consumption on Tomcat server processes during HTTP/2 request handling
- High volume of HTTP/2 streams being reset after extended processing times
- Server log entries indicating header limit violations at abnormally high frequencies
Detection Strategies
- Monitor Apache Tomcat access and error logs for repeated header limit violations from the same client IP addresses
- Implement network-level monitoring to detect anomalous HTTP/2 traffic patterns, particularly requests with excessive header counts or sizes
- Deploy application performance monitoring (APM) to track Tomcat server resource utilization and identify sudden degradation
- Configure intrusion detection systems (IDS) with rules to flag HTTP/2 requests containing abnormally large header blocks
Monitoring Recommendations
- Establish baseline metrics for normal HTTP/2 traffic patterns and alert on significant deviations
- Monitor Tomcat JVM heap usage and garbage collection frequency for signs of resource exhaustion
- Track HTTP/2 stream reset rates and correlate with header processing times to identify exploitation attempts
- Implement real-time alerting for sustained high connection rates to HTTP/2 endpoints
How to Mitigate CVE-2024-24549
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version immediately: 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99
- If immediate patching is not feasible, consider temporarily disabling HTTP/2 support by removing the UpgradeProtocol configuration for HTTP/2 in server.xml
- Review and tighten HTTP/2 header limit configurations to minimize exposure window
- Implement rate limiting at the network perimeter to restrict connection rates from individual sources
Patch Information
Apache has released security patches addressing this vulnerability. Users are recommended to upgrade to the following versions:
- Apache Tomcat 11.0.0-M17 (for 11.0.x milestone users)
- Apache Tomcat 10.1.19 (for 10.1.x users)
- Apache Tomcat 9.0.86 (for 9.0.x users)
- Apache Tomcat 8.5.99 (for 8.5.x users)
For detailed patch information, refer to the Apache Mailing List Thread. Distribution-specific packages are available through Debian LTS and Fedora.
Workarounds
- Disable HTTP/2 protocol support in Apache Tomcat by removing the UpgradeProtocol element for h2 and h2c from server.xml configuration
- Place a reverse proxy or load balancer in front of Tomcat that can enforce strict HTTP/2 header limits before requests reach the application server
- Configure firewall rules to limit the rate of incoming connections to Tomcat servers
- Monitor and block IP addresses exhibiting attack patterns through web application firewall (WAF) rules
# Disable HTTP/2 in Tomcat server.xml
# Remove or comment out the following lines in your Connector configuration:
# <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
# Example: HTTP/1.1 only Connector (HTTP/2 disabled)
# <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
# maxThreads="200"
# SSLEnabled="true"
# scheme="https"
# secure="true"
# keystoreFile="conf/localhost-rsa.jks"
# keystorePass="changeit"
# clientAuth="false"
# sslProtocol="TLS" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
