You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/09/28 13:01:06 UTC
[SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure
CVE-2021-43980 Apache Tomcat - Information Disclosure
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M12
Apache Tomcat 10.0.0-M1 to 10.0.18
Apache Tomcat 9.0.0-M1 to 9.0.60
Apache Tomcat 8.5.0 to 8.5.77
Description:
The simplified implementation of blocking reads and writes introduced in
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
standing (but extremely hard to trigger) concurrency bug that could
cause client connections to share an Http11Processor instance resulting
in responses, or part responses, to be received by the wrong client.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M14 or later once released
- Upgrade to Apache Tomcat 10.0.20 or later once released
- Upgrade to Apache Tomcat 9.0.62 or later once released
- Upgrade to Apache Tomcat 8.5.78 or later once released
- Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released
Credit:
Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
discovering the issue and working with the Tomcat security team to
identify the root cause and appropriate fix.
History:
2022-09-28 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure
Posted by Ram Krushna Mishra <ra...@gmail.com>.
Confirm unsubscribe
On Wed, Sep 28, 2022 at 8:36 PM Nicholas Ascione <ni...@gmail.com>
wrote:
> Confirm unsubscribe
>
> On Wed, Sep 28, 2022 at 9:01 AM Mark Thomas <ma...@apache.org> wrote:
>
> > CVE-2021-43980 Apache Tomcat - Information Disclosure
> >
> > Severity: High
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected:
> > Apache Tomcat 10.1.0-M1 to 10.1.0-M12
> > Apache Tomcat 10.0.0-M1 to 10.0.18
> > Apache Tomcat 9.0.0-M1 to 9.0.60
> > Apache Tomcat 8.5.0 to 8.5.77
> >
> > Description:
> > The simplified implementation of blocking reads and writes introduced in
> > Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
> > standing (but extremely hard to trigger) concurrency bug that could
> > cause client connections to share an Http11Processor instance resulting
> > in responses, or part responses, to be received by the wrong client.
> >
> > Mitigation:
> > Users of the affected versions should apply one of the following
> > mitigations:
> > - Upgrade to Apache Tomcat 10.1.0-M14 or later once released
> > - Upgrade to Apache Tomcat 10.0.20 or later once released
> > - Upgrade to Apache Tomcat 9.0.62 or later once released
> > - Upgrade to Apache Tomcat 8.5.78 or later once released
> > - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released
> >
> > Credit:
> > Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
> > discovering the issue and working with the Tomcat security team to
> > identify the root cause and appropriate fix.
> >
> > History:
> > 2022-09-28 Original advisory
> >
> > References:
> > [1] https://tomcat.apache.org/security-10.html
> > [2] https://tomcat.apache.org/security-9.html
> > [3] https://tomcat.apache.org/security-8.html
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
Re: [SECURITY] CVE-2021-43980 Apache Tomcat - Information Disclosure
Posted by Nicholas Ascione <ni...@gmail.com>.
Confirm unsubscribe
On Wed, Sep 28, 2022 at 9:01 AM Mark Thomas <ma...@apache.org> wrote:
> CVE-2021-43980 Apache Tomcat - Information Disclosure
>
> Severity: High
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0-M12
> Apache Tomcat 10.0.0-M1 to 10.0.18
> Apache Tomcat 9.0.0-M1 to 9.0.60
> Apache Tomcat 8.5.0 to 8.5.77
>
> Description:
> The simplified implementation of blocking reads and writes introduced in
> Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
> standing (but extremely hard to trigger) concurrency bug that could
> cause client connections to share an Http11Processor instance resulting
> in responses, or part responses, to be received by the wrong client.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.1.0-M14 or later once released
> - Upgrade to Apache Tomcat 10.0.20 or later once released
> - Upgrade to Apache Tomcat 9.0.62 or later once released
> - Upgrade to Apache Tomcat 8.5.78 or later once released
> - Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released
>
> Credit:
> Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
> discovering the issue and working with the Tomcat security team to
> identify the root cause and appropriate fix.
>
> History:
> 2022-09-28 Original advisory
>
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>