CVE-2024-34750 Overview
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
Critical Impact
This vulnerability allows for denial of service due to uncontrolled resource consumption, leading to potential service disruption.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.0-M20
- Apache Tomcat 10.1.0-M1 through 10.1.24
- Apache Tomcat 9.0.0-M1 through 9.0.89
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Apache
- Not Available - CVE CVE-2024-34750 assigned
- Not Available - Apache releases security patch
- 2024-07-03 - CVE CVE-2024-34750 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-34750
Vulnerability Analysis
This vulnerability arises from improper handling of certain HTTP headers, causing a miscount of HTTP/2 streams. The resulting infinite timeout allows connections to linger unnecessarily, leading to potential denial of service (DoS).
Root Cause
The root cause of the vulnerability is the inaccurate accounting of open HTTP/2 streams due to improper handling of excessive headers.
Attack Vector
Network-based. An attacker could exploit this by sending crafted HTTP/2 requests with excessive headers.
# Example exploitation code (sanitized)
# This is a conceptual example, modify headers to overconsume resources.
curl -X POST "http://target-server:8080/example" \
-H "Content-Type: application/http2" \
-H "X-Custom-Header: exploit-excessive-headers"
Detection Methods for CVE-2024-34750
Indicators of Compromise
- Excessive HTTP/2 header requests
- Increased counts of HTTP/2 connections
- Unusually long-lived connections
Detection Strategies
Deploy network monitoring tools to observe abnormal HTTP/2 activity. Check logs for patterns of excessive header requests and unusually persistent connections.
Monitoring Recommendations
Implement application logging to capture residual HTTP/2 header data and timeout settings. Use intrusion detection systems (IDS) to alert on signature matches related to excessive header lengths.
How to Mitigate CVE-2024-34750
Immediate Actions Required
- Update Apache Tomcat to the latest version
- Monitor for abnormal traffic patterns
- Review and adjust HTTP/2 configuration settings
Patch Information
Upgrade to Apache Tomcat version 11.0.0-M21, 10.1.25, or 9.0.90, which address the vulnerability by correctly managing HTTP/2 streams.
Workarounds
If immediate patching is not possible, consider configuring stricter limits on header sizes and connection timeouts temporarily.
# Configuration example
tomcat/conf/server.xml
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxHttpHeaderSize="8192" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
