Apache Software Foundation has released new versions of Apache Tomcat 8 and 9 to address a vulnerability in HTTP/2. Attackers could exploit the vulnerability to cause server-side thread exhaustion.
Successful exploitation of the vulnerability could lead to a denial of service condition on an affected system.
The Apache Software Foundation has released new version of the products to address the issue and they can be downloaded at the following URL:
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20
http://mail-archives.us.apache.org/mod_mbox/www-announce/201906.mbox/%3Cca69531a-1592-be7b-60ce-729549c7f812%40apache.org%3E
https://www.hkcert.org/my_url/en/alert/19062105
https://www.us-cert.gov/ncas/current-activity/2019/06/20/Apache-Releases-Security-Advisory-Apache-Tomcat
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10072