# CVE-2024-24549 — Apache Tomcat HTTP/2 deferred-validateHeaders DoS.
#
# Single service: the official, UNMODIFIED Apache Tomcat 10.1.18 image
# (a known-vulnerable version, 10.1.x <= 10.1.18). The vulnerable artifact
# ships in the image; we only bind-mount our own server.xml (h2c connector
# + modest 8 KB header limit, no proxy/TLS) and logging.properties (raise
# org.apache.coyote.http2 to FINE so the per-stream rejection stack trace
# reaches stdout). Source under /usr/local/tomcat is never patched.
#
# Port is bound to 127.0.0.1 only.

services:
  tomcat:
    image: tomcat:10.1.18-jdk17-temurin-jammy
    container_name: cve-2024-24549-tomcat
    restart: "no"
    ports:
      - "127.0.0.1:8080:8080"
    volumes:
      - ./config/server.xml:/usr/local/tomcat/conf/server.xml:ro
      - ./config/logging.properties:/usr/local/tomcat/conf/logging.properties:ro
    healthcheck:
      # h2c upgrade probe is awkward for a shell healthcheck; an HTTP/1.1
      # request on the same connector proves the listener is up and serving.
      test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/127.0.0.1/8080 && printf 'GET / HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && head -1 <&3 | grep -q HTTP"]
      interval: 5s
      timeout: 5s
      retries: 12
      start_period: 10s