CVE-2024-34750 - Apache Tomcat is prone to a denial of service (DoS)

Hello,

installed WMS 4.4, our Greenbone Scanner told us there is a Security issue in the internal Apache of WMS 4.4.

Summary

Apache Tomcat is prone to a denial of service (DoS) vulnerability.

Detection Result

Installed version: 10.1.20
Fixed version:     10.1.25
Installation
path / port:       443/tcp

Product Detection Result

Product	cpe:/a:apache:tomcat:10.1.20
Method	Apache Tomcat Detection Consolidation (1.3.6.1.4.1.25623.1.0.107652)

Insight

When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

Detection Method

Checks if a vulnerable version is present on the target host.

Details:	Apache Tomcat DoS Vulnerability (Jul 2024) - Windows OID: 1.3.6.1.4.1.25623.1.0.152544
Version used:	2024-07-04T09:23:28+02:00

Affected Software/OS

Apache Tomcat versions 9.0.0-M1 through 9.0.89, 10.1.0-M1 through 10.1.24 and 11.0.0-M1 through 11.0.0-M20.

Solution

Solution Type:

Vendorfix

Update to version 9.0.90, 10.1.25, 11.0.0-M21 or later.

References

CVE	CVE: CVE-2024-34750
CERT	dfn-cert: DFN-CERT-2024-1723cert-bund: WID-SEC-2024-1522
Other	url: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

I fix is not available on the Download Portal.

Talked to Support 1 Minute ago, they told me to install 4.3 will fix my Problem, and i only have limited support because of standart Licence.

Dont think an older Version will fix the CVE.

Do you have any Information about a Security Patch for 4.4?

Regards
Marc