CVE-2024-24549: 
Java vulnerability analysis and mitigation

CVE-2024-24549 is a Denial of Service vulnerability discovered in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.0-M16, 10.1.0-M1 through 10.1.18, 9.0.0-M1 through 9.0.85, and 8.5.0 through 8.5.98. The vulnerability was disclosed on March 13, 2024, and relates to improper input validation for HTTP/2 requests (Apache Security).

The vulnerability occurs when processing an HTTP/2 request that exceeds configured limits for headers. The issue arises because the associated HTTP/2 stream was not reset until after all headers had been processed, allowing for potential resource exhaustion (NVD). The vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

The successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. When an attacker sends HTTP/2 requests with headers exceeding configured limits, the server continues processing all headers before resetting the stream, potentially causing resource exhaustion and affecting service availability (Fortiguard Labs).

The vulnerability has been fixed in Apache Tomcat versions 11.0.0-M17, 10.1.19, 9.0.86, and 8.5.99. Users are strongly recommended to upgrade to these patched versions to address the security issue (Apache Security).