You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/09/28 13:01:06 UTC

[SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure

CVE-2021-43980 Apache Tomcat - Information Disclosure

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M12
Apache Tomcat 10.0.0-M1 to 10.0.18
Apache Tomcat 9.0.0-M1 to 9.0.60
Apache Tomcat 8.5.0 to 8.5.77

Description:
The simplified implementation of blocking reads and writes introduced in 
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long 
standing (but extremely hard to trigger) concurrency bug that could 
cause client connections to share an Http11Processor instance resulting 
in responses, or part responses, to be received by the wrong client.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M14 or later once released
- Upgrade to Apache Tomcat 10.0.20 or later once released
- Upgrade to Apache Tomcat 9.0.62 or later once released
- Upgrade to Apache Tomcat 8.5.78 or later once released
- Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released

Credit:
Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for 
discovering the issue and working with the Tomcat security team to 
identify the root cause and appropriate fix.

History:
2022-09-28 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html

Re: [SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure

Posted by Ram Krushna Mishra <ra...@gmail.com>.

Confirm unsubscribe

On Wed, Sep 28, 2022 at 8:36 PM Nicholas Ascione <ni...@gmail.com>
wrote:

> Confirm unsubscribe
>
> On Wed, Sep 28, 2022 at 9:01 AM Mark Thomas <ma...@apache.org> wrote:
>
> > CVE-2021-43980 Apache Tomcat - Information Disclosure
> >
> > Severity: High
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected:
> > Apache Tomcat 10.1.0-M1 to 10.1.0-M12
> > Apache Tomcat 10.0.0-M1 to 10.0.18
> > Apache Tomcat 9.0.0-M1 to 9.0.60
> > Apache Tomcat 8.5.0 to 8.5.77
> >
> > Description:
> > The simplified implementation of blocking reads and writes introduced in
> > Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
> > standing (but extremely hard to trigger) concurrency bug that could
> > cause client connections to share an Http11Processor instance resulting
> > in responses, or part responses, to be received by the wrong client.
> >
> > Mitigation:
> > Users of the affected versions should apply one of the following
> > mitigations:
> > - Upgrade to Apache Tomcat 10.1.0-M14 or later once released
> > - Upgrade to Apache Tomcat 10.0.20 or later once released
> > - Upgrade to Apache Tomcat 9.0.62 or later once released
> > - Upgrade to Apache Tomcat 8.5.78 or later once released
> > - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released
> >
> > Credit:
> > Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
> > discovering the issue and working with the Tomcat security team to
> > identify the root cause and appropriate fix.
> >
> > History:
> > 2022-09-28 Original advisory
> >
> > References:
> > [1] https://tomcat.apache.org/security-10.html
> > [2] https://tomcat.apache.org/security-9.html
> > [3] https://tomcat.apache.org/security-8.html
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>

Re: [SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure

Posted by Nicholas Ascione <ni...@gmail.com>.

Confirm unsubscribe

On Wed, Sep 28, 2022 at 9:01 AM Mark Thomas <ma...@apache.org> wrote:

> CVE-2021-43980 Apache Tomcat - Information Disclosure
>
> Severity: High
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0-M12
> Apache Tomcat 10.0.0-M1 to 10.0.18
> Apache Tomcat 9.0.0-M1 to 9.0.60
> Apache Tomcat 8.5.0 to 8.5.77
>
> Description:
> The simplified implementation of blocking reads and writes introduced in
> Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
> standing (but extremely hard to trigger) concurrency bug that could
> cause client connections to share an Http11Processor instance resulting
> in responses, or part responses, to be received by the wrong client.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.1.0-M14 or later once released
> - Upgrade to Apache Tomcat 10.0.20 or later once released
> - Upgrade to Apache Tomcat 9.0.62 or later once released
> - Upgrade to Apache Tomcat 8.5.78 or later once released
> - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released
>
> Credit:
> Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
> discovering the issue and working with the Tomcat security team to
> identify the root cause and appropriate fix.
>
> History:
> 2022-09-28 Original advisory
>
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>