You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2021/10/14 14:12:29 UTC
[SECURITY] CVE-2021-42340 Apache Tomcat DoS
CVE-2021-41079 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M5
Apache Tomcat 10.0.0-M10 to 10.0.11
Apache Tomcat 9.0.40 to 9.0.53
Apache Tomcat 8.5.60 to 8.5.71
Description:
The fix for bug 63362 introduced a memory leak. The object introduced to
collect metrics for HTTP upgrade connections was not released for
WebSocket connections once the WebSocket connection was closed. This
created a memory leak that, over time, could lead to a denial of service
via an OutOfMemoryError.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M6 or later
- Upgrade to Apache Tomcat 10.0.12 or later
- Upgrade to Apache Tomcat 9.0.54 or later
- Upgrade to Apache Tomcat 8.5.72 or later
History:
2021-10-14 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL]
Posted by "Beard, Shawn" <SB...@wrberkley.com.INVALID>.
It has to do with not releasing http websocket connections properly. So its both. We just had to upgrade to 9.0.53 on everything because of this.
Shawn Beard • Sr. Systems Engineer
Middleware Engineering
[cid:image852868.png@BE68D2F7.0F762FA2]
3840 109th Street , Urbandale , IA 50322
Phone: +1-515-564-2528<tel:+1-515-564-2528>
Email: SBeard@wrberkley.com<ma...@wrberkley.com>
Website: https://berkleytechnologyservices.com/
[cid:image544710.jpg@E9DE55D0.0D0A7FFA]
Technology Leadership Unleashing Business Potential
-----Original Message-----
From: James H. H. Lampert <ja...@touchtonecorp.com.INVALID>
Sent: Monday, December 6, 2021 1:29 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL]
** CAUTION: External message
On 10/14/21 7:12 AM, Mark Thomas wrote:
> The fix for bug 63362 introduced a memory leak. The object introduced
> to collect metrics for HTTP upgrade connections was not released for
> WebSocket connections once the WebSocket connection was closed. This
> created a memory leak that, over time, could lead to a denial of
> service via an OutOfMemoryError.
Question:
Is this even an issue if the Tomcat is configured to *only* listen on 443, and rejects non-HTTPS connections outright?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>.
On 10/14/21 7:12 AM, Mark Thomas wrote:
> The fix for bug 63362 introduced a memory leak. The object introduced to
> collect metrics for HTTP upgrade connections was not released for
> WebSocket connections once the WebSocket connection was closed. This
> created a memory leak that, over time, could lead to a denial of service
> via an OutOfMemoryError.
Question:
Is this even an issue if the Tomcat is configured to *only* listen on
443, and rejects non-HTTPS connections outright?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org