CVE-2024-34750 is a vulnerability classified under CWE-755 (Improper Handling of Exceptional Conditions) and CWE-400 (Uncontrolled Resource Consumption) affecting Apache Tomcat versions from 8.5.0 through 11.0.0-M20. The root cause lies in Tomcat's HTTP/2 stream processing logic, where excessive HTTP headers cause the server to miscount the number of active HTTP/2 streams. This miscount leads to the assignment of an incorrect infinite timeout value for certain connections that should otherwise be closed. Consequently, these connections remain open indefinitely, consuming server resources such as memory and file descriptors. This behavior can be exploited remotely without authentication or user interaction, making it a network-exploitable denial-of-service (DoS) vector. The vulnerability affects multiple major Tomcat branches, including versions 8.5.x, 9.0.x, 10.1.x, and 11.0.x pre-release milestones. The issue was publicly disclosed on July 3, 2024, with no known active exploits reported at the time. The Apache Software Foundation has released fixed versions 11.0.0-M21, 10.1.25, and 9.0.90 that correct the stream counting and timeout logic. Organizations using affected Tomcat versions should upgrade promptly to mitigate the risk of resource exhaustion and potential service outages. Monitoring for abnormal HTTP/2 connection persistence and resource utilization is also recommended as a detection measure.

The primary impact of CVE-2024-34750 is on the availability of services hosted on Apache Tomcat servers. By exploiting the improper handling of HTTP/2 streams, an attacker can cause connections to remain open indefinitely, leading to uncontrolled resource consumption such as memory, CPU, and network sockets. This can degrade server performance, exhaust system resources, and ultimately cause denial of service, disrupting web applications and services. For European organizations, this can translate into significant operational downtime, loss of customer trust, and potential regulatory scrutiny if critical services are affected. Public sector entities, financial institutions, and large enterprises that rely heavily on Tomcat for web hosting and application delivery are particularly vulnerable. Given the widespread use of Apache Tomcat across Europe, the threat could impact a broad range of industries. Additionally, prolonged resource exhaustion may increase the risk of cascading failures in interconnected systems. Although confidentiality and integrity are not directly impacted, the availability disruption can have severe business consequences.

1. Immediate upgrade to the fixed Apache Tomcat versions: 11.0.0-M21, 10.1.25, or 9.0.90, depending on the version branch in use. 2. Implement network-level rate limiting and filtering to restrict excessive HTTP/2 header usage and abnormal connection persistence. 3. Monitor server metrics closely for unusual spikes in open connections, memory usage, and CPU load that may indicate exploitation attempts. 4. Configure HTTP/2 settings to enforce stricter limits on header sizes and stream counts where possible. 5. Employ Web Application Firewalls (WAFs) capable of detecting and blocking malformed or excessive HTTP/2 requests. 6. Conduct regular vulnerability assessments and penetration testing focusing on HTTP/2 protocol handling. 7. For legacy or EOL Tomcat versions that cannot be immediately upgraded, consider isolating these servers behind reverse proxies that can enforce connection timeouts and header limits. 8. Maintain up-to-date incident response plans to quickly address potential DoS incidents stemming from this vulnerability.