Recently,Apache Tomcat has released an official security advisory, disclosing a DoS vulnerability (CVE-2023-28709) . The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

If you are an Apache Tomcat user, check your system and implement timely security hardening.

Reference:

https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

https://tomcat.apache.org/security-10.html

https://tomcat.apache.org/security-9.html

https://tomcat.apache.org/security-8.html

important

(Severity: low, moderate, important, and critical)

Affected versions:

Apache Tomcat 11.0.0-M2 to 11.0.0-M4

Apache Tomcat 10.1.5 to 10.1.7

Apache Tomcat 9.0.71 to 9.0.73

Apache Tomcat 8.5.85 to 8.5.87

Secure versions:

Apache Tomcat 11.0.0-M5 or later

Apache Tomcat 10.1.8 or later

Apache Tomcat 9.0.74 or later

Apache Tomcat 8.5.88 or later

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://tomcat.apache.org/whichversion.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.

Get more professional support at any time

Contact Us