CVE-2024-38286 Overview
CVE-2024-38286 is an Allocation of Resources Without Limits or Throttling vulnerability (CWE-770) affecting Apache Tomcat. Under certain configurations on any platform, this vulnerability allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. The vulnerability enables remote attackers to exhaust server memory resources without authentication, leading to a denial of service condition that can render web applications completely unavailable.
Critical Impact
Remote attackers can exploit the TLS handshake process to trigger memory exhaustion, causing Apache Tomcat servers to crash with an OutOfMemoryError and denying service to legitimate users.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.0-M20
- Apache Tomcat 10.1.0-M1 through 10.1.24
- Apache Tomcat 9.0.13 through 9.0.89
- Apache Tomcat 8.5.35 through 8.5.100 (EOL)
- Apache Tomcat 7.0.92 through 7.0.109 (EOL)
- NetApp ONTAP Tools 9 and 10 for VMware vSphere
Discovery Timeline
- 2024-11-07 - CVE-2024-38286 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-38286
Vulnerability Analysis
This vulnerability stems from improper resource allocation during TLS handshake processing in Apache Tomcat. The server fails to implement adequate limits or throttling mechanisms when handling TLS connections, allowing attackers to consume excessive memory resources. The attack can be executed remotely over the network without requiring any authentication or user interaction, making it particularly dangerous for internet-facing Tomcat instances.
The vulnerability specifically impacts the TLS handshake mechanism, where an attacker can craft malicious requests that cause the server to allocate memory without proper bounds checking. As these allocations accumulate, the JVM eventually throws an OutOfMemoryError, crashing the Tomcat instance and any applications it hosts.
Root Cause
The root cause of CVE-2024-38286 is the absence of proper resource limits and throttling controls in Apache Tomcat's TLS handshake processing logic. When processing incoming TLS connections, Tomcat allocates memory buffers without enforcing maximum thresholds. This design flaw allows attackers to initiate numerous TLS handshakes that collectively exhaust available heap memory. The lack of per-connection or global memory limits for TLS operations creates an exploitable condition where resource consumption grows unbounded until system failure occurs.
Attack Vector
The attack is conducted over the network by targeting the TLS/SSL connector of an Apache Tomcat server. An attacker initiates multiple malicious TLS handshake requests designed to maximize memory allocation on the target server. Since the attack requires no authentication and no user interaction, it can be launched anonymously against any exposed Tomcat instance configured with TLS support.
The attack flow involves:
- Identifying an Apache Tomcat server with TLS enabled
- Initiating specially crafted TLS handshake requests
- Repeating the process to progressively consume server memory
- Continuing until the server's JVM throws an OutOfMemoryError
For detailed technical information about this vulnerability, refer to the Apache Security Mailing List Post and the Openwall OSS-Security Thread.
Detection Methods for CVE-2024-38286
Indicators of Compromise
- Unusual spikes in memory consumption on Tomcat server processes
- Frequent OutOfMemoryError exceptions in Tomcat logs
- High volume of incomplete TLS handshake attempts from single or distributed sources
- Abnormal JVM garbage collection activity preceding server crashes
Detection Strategies
- Monitor JVM heap usage metrics and alert on rapid memory growth patterns
- Implement network-level monitoring for excessive TLS connection attempts
- Configure application performance monitoring (APM) to track TLS handshake rates
- Review Tomcat catalina.out logs for memory-related errors and exceptions
Monitoring Recommendations
- Set up alerts for JVM memory utilization exceeding 80% threshold
- Deploy network intrusion detection rules for TLS handshake abuse patterns
- Implement rate limiting at the load balancer or firewall for TLS connections
- Use SentinelOne's runtime application protection to detect anomalous memory behavior
How to Mitigate CVE-2024-38286
Immediate Actions Required
- Upgrade Apache Tomcat to patched versions: 11.0.0-M21, 10.1.25, or 9.0.90
- If immediate patching is not possible, implement network-level rate limiting on TLS connections
- Review and restrict access to Tomcat TLS connectors to trusted networks where feasible
- Configure JVM memory limits and monitor for memory exhaustion patterns
Patch Information
Apache has released fixed versions that address this vulnerability. Users are strongly recommended to upgrade to the following versions:
| Branch | Fixed Version |
|---|---|
| 11.x | 11.0.0-M21 |
| 10.x | 10.1.25 |
| 9.x | 9.0.90 |
For systems running end-of-life versions (8.5.x and 7.x), upgrading to a supported major version is essential as these branches will not receive security patches. Additional details are available in the Apache Security Mailing List Post and the NetApp Security Advisory.
Workarounds
- Implement connection rate limiting at the network perimeter or reverse proxy
- Configure firewall rules to limit TLS connection rates from individual source IPs
- Deploy a Web Application Firewall (WAF) with TLS flood protection capabilities
- Consider temporarily disabling TLS if acceptable for the environment and using a TLS-terminating reverse proxy
# Example: iptables rate limiting for TLS connections (port 8443)
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
