Apache Tomcat Improper Input Validation Leading to Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Apache Tomcat versions 9.0.76 prior to 9.0.102, 10.1.10 prior to 10.1.39, and 11.0.0-M2 prior to 11.0.5. The issue arises from improper input validation and incorrect error handling of certain invalid HTTP priority headers. This flaw causes incomplete cleanup of failed requests, leading to memory leaks. If a large number of such requests are processed, they can exhaust available memory, triggering an OutOfMemoryException and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the server becomes unresponsive due to exhausted memory resources.

Remediation

Users are advised to upgrade to Apache Tomcat versions 9.0.104, 10.1.40, or 11.0.6, all of which include the necessary fix. Note that while this issue was addressed in Apache Tomcat 9.0.103, that version is not available due to a failed release vote, so users must upgrade to 9.0.104.