Skip to content

Remediate embedded Tomcat HTTP/2 DoS exposure by pinning patched 9.0.x line#47

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/update-apache-tomcat-dependency
Draft

Remediate embedded Tomcat HTTP/2 DoS exposure by pinning patched 9.0.x line#47
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/update-apache-tomcat-dependency

Conversation

Copilot AI commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This change addresses a high-severity Apache Tomcat HTTP/2 denial-of-service vulnerability (CVE-2024-34750) affecting stream accounting and connection timeout behavior under excessive headers. The service now resolves embedded Tomcat to a patched 9.0.x version to remove vulnerable artifacts from runtime.

  • Dependency remediation

    • Introduced an explicit Gradle property override to force Spring Boot-managed Tomcat modules onto a patched release.
    • Set tomcat.version to 9.0.118, ensuring tomcat-embed-core resolves above the vulnerable range and aligns companion embed modules on the same version line.
  • HTTP/2 configuration impact

    • No explicit Tomcat HTTP/2 connector/protocol overrides exist in the codebase, so no config migration was required.
    • Existing application behavior and service-level settings remain unchanged outside dependency resolution.
// build.gradle.kts
extra["tomcat.version"] = "9.0.118"

Copilot AI changed the title [WIP] Update Apache Tomcat to fix denial of service vulnerability Remediate embedded Tomcat HTTP/2 DoS exposure by pinning patched 9.0.x line Jun 29, 2026
Copilot AI requested a review from pagarwal-dev June 29, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants