CVE-2024-24549 is a vulnerability classified under CWE-20 (Improper Input Validation) found in the Apache Software Foundation's Apache Tomcat server software. The issue specifically affects the HTTP/2 protocol handling in Tomcat versions from 8.5.0 through 8.5.98, 9.0.0-M1 through 9.0.85, 10.1.0-M1 through 10.1.18, and 11.0.0-M1 through 11.0.0-M16. The vulnerability occurs because when processing HTTP/2 requests, if the request headers exceed any configured limits, the HTTP/2 stream associated with that request is not reset immediately after detecting the limit breach. Instead, the stream reset is delayed until all headers have been processed, which can cause the server to hold resources unnecessarily. This behavior can be exploited by an attacker sending specially crafted HTTP/2 requests with excessive headers to trigger resource exhaustion, leading to a denial of service (DoS) condition. The vulnerability does not impact confidentiality or integrity but severely affects availability. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, no required privileges or user interaction, and the high impact on availability. The issue has been addressed in patched versions 11.0.0-M17, 10.1.19, 9.0.86, and 8.5.99. No public exploits have been reported yet, but the vulnerability is straightforward to exploit remotely, making it a significant threat to affected systems.

For European organizations, the primary impact of CVE-2024-24549 is the potential for denial of service attacks against web applications and services running on vulnerable Apache Tomcat servers. This can lead to service outages, degraded performance, and disruption of business operations, especially for public-facing services relying on HTTP/2. Critical infrastructure, government portals, financial institutions, and large enterprises using Tomcat as part of their web stack are at risk of operational disruption. The vulnerability does not expose sensitive data but can cause significant availability issues, potentially affecting customer trust and compliance with service-level agreements. Given the widespread use of Apache Tomcat in Europe, the risk is substantial, particularly in sectors with high reliance on web services and cloud deployments. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation attempts.

European organizations should prioritize upgrading Apache Tomcat to the fixed versions: 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99, depending on their current deployment. In addition to patching, organizations should: 1) Review and tighten HTTP/2 header size and count limits to reasonable thresholds to reduce attack surface. 2) Implement network-level protections such as rate limiting and web application firewalls (WAFs) configured to detect and block abnormal HTTP/2 header patterns. 3) Monitor server logs and network traffic for unusual spikes in HTTP/2 requests or header anomalies indicative of exploitation attempts. 4) Employ redundancy and load balancing to mitigate potential DoS impacts. 5) Conduct regular vulnerability scans and penetration tests focusing on HTTP/2 handling. 6) Ensure incident response plans include procedures for DoS scenarios involving web servers. These steps, combined with timely patching, will significantly reduce the risk posed by this vulnerability.