The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
{ "binaries": [ { "binary_name": "libtomcat8-embed-java", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "libtomcat8-java", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "tomcat8", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "tomcat8-admin", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "tomcat8-common", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "tomcat8-docs", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "tomcat8-examples", "binary_version": "8.5.39-1ubuntu1~18.04.3" }, { "binary_name": "tomcat8-user", "binary_version": "8.5.39-1ubuntu1~18.04.3" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "libtomcat9-embed-java", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "libtomcat9-java", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "tomcat9", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "tomcat9-admin", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "tomcat9-common", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "tomcat9-docs", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "tomcat9-examples", "binary_version": "9.0.16-3ubuntu0.18.04.1" }, { "binary_name": "tomcat9-user", "binary_version": "9.0.16-3ubuntu0.18.04.1" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }