SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-34750

CVE-2024-34750: Apache Tomcat HTTP/2 DOS Vulnerability

CVE-2024-34750 is a denial of service vulnerability in Apache Tomcat's HTTP/2 implementation that causes connection timeout issues. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2024-34750 Overview

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

Critical Impact

This vulnerability allows for denial of service due to uncontrolled resource consumption, leading to potential service disruption.

Affected Products

  • Apache Tomcat 11.0.0-M1 through 11.0.0-M20
  • Apache Tomcat 10.1.0-M1 through 10.1.24
  • Apache Tomcat 9.0.0-M1 through 9.0.89

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Apache
  • Not Available - CVE CVE-2024-34750 assigned
  • Not Available - Apache releases security patch
  • 2024-07-03 - CVE CVE-2024-34750 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-34750

Vulnerability Analysis

This vulnerability arises from improper handling of certain HTTP headers, causing a miscount of HTTP/2 streams. The resulting infinite timeout allows connections to linger unnecessarily, leading to potential denial of service (DoS).

Root Cause

The root cause of the vulnerability is the inaccurate accounting of open HTTP/2 streams due to improper handling of excessive headers.

Attack Vector

Network-based. An attacker could exploit this by sending crafted HTTP/2 requests with excessive headers.

bash
# Example exploitation code (sanitized)
# This is a conceptual example, modify headers to overconsume resources.
curl -X POST "http://target-server:8080/example" \
     -H "Content-Type: application/http2" \
     -H "X-Custom-Header: exploit-excessive-headers"

Detection Methods for CVE-2024-34750

Indicators of Compromise

  • Excessive HTTP/2 header requests
  • Increased counts of HTTP/2 connections
  • Unusually long-lived connections

Detection Strategies

Deploy network monitoring tools to observe abnormal HTTP/2 activity. Check logs for patterns of excessive header requests and unusually persistent connections.

Monitoring Recommendations

Implement application logging to capture residual HTTP/2 header data and timeout settings. Use intrusion detection systems (IDS) to alert on signature matches related to excessive header lengths.

How to Mitigate CVE-2024-34750

Immediate Actions Required

  • Update Apache Tomcat to the latest version
  • Monitor for abnormal traffic patterns
  • Review and adjust HTTP/2 configuration settings

Patch Information

Upgrade to Apache Tomcat version 11.0.0-M21, 10.1.25, or 9.0.90, which address the vulnerability by correctly managing HTTP/2 streams.

Workarounds

If immediate patching is not possible, consider configuring stricter limits on header sizes and connection timeouts temporarily.

bash
# Configuration example
tomcat/conf/server.xml

<Connector port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           maxHttpHeaderSize="8192" />

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne