First noted in the National Vulnerability Database five days ago, the weakness stems from Coyote’s failure to enforce a hard cap on concurrent streams when an HTTP/2 client never acknowledges the server’s initial SETTINGS frame.
By repeatedly initiating streams that are never closed, a remote attacker can exhaust the server’s thread pool and force the container into a prolonged denial-of-service state, even though confidentiality and integrity remain unaffected.
Because the exploit rides ordinary TCP port 443 traffic, firewalls see nothing suspicious; attack complexity remains low, and no credentials are required.
GitHub analysts subsequently traced the issue to a race condition introduced during the refactor that added dynamic stream limits, publishing proof-of-concept traffic captures that reliably crash unpatched builds.
The vulnerability affects every maintained branch: 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, and 9.0.0.M1 through 9.0.106.
Apache has released fixed versions 11.0.9, 10.1.43, and 9.0.107; administrators that cannot upgrade immediately should at least disable HTTP/2 or limit maxConcurrentStreams at the reverse-proxy layer to avoid service interruptions.
CVSS v4 scores the flaw 6.3, tagging availability as High while leaving other impact metrics at None, underscoring its DoS-centric profile.
In practice, the attacker holds a single TLS session open and loops the following payload:-
PRI * HTTP/2.0rnrnSMrnrn ; connection pre-face
…SETTINGS (ACK omitted) ; server settings ignored
HEADERS END_STREAM=0 … ; open stream 1
HEADERS END_STREAM=0 … ; open stream 2
/* repeat until thread pool saturation */Because Tomcat allocates a worker per stream before receiving any actual data, each orphaned stream ties up a thread indefinitely.
Once the executor queue maxes out, legitimate requests time out, effectively knocking the site offline without crashing the JVM.
Modern reverse proxies that enforce a SETTINGS-ack timeout or hard stream ceiling neutralize the attack, making upstream mitigation practical until full patch deployment.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Apache Tomcat Coyote Vulnerability Let Attackers Trigger DoS Attack appeared first on Cyber Security News.
A bill requiring public schools to check the immigration status of all kids in grades…
Now is the time to retire that pedal-powered bike of yours and upgrade to electric.…
Magic: The Gathering’s second set of the year has given us the Teenage Mutant Ninja…
We’re one week out from Amazon’s Big Spring Sale, but there are already some killer…
Crimson Desert developer and publisher Pearl Abyss won’t show gameplay footage of the Xbox Series…
Pragmata is coming to PS5, Switch 2, Xbox, and PC on April 17. This is…
This website uses cookies.