[SECURITY] CVE-2021-41079 Apache Tomcat DoS

[Mark Thomas <ma...@apache.org>]

CVE-2021-41079 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.2
Apache Tomcat 9.0.0-M1 to 9.0.43
Apache Tomcat 8.5.0 to 8.5.63

Description:
When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a 
specially crafted packet could be used to trigger an infinite loop 
resulting in a denial of service.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.4 or later
- Upgrade to Apache Tomcat 9.0.44 or later
- Upgrade to Apache Tomcat 8.5.64 or later

Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote 
for the 10.0.3 release candidate did not pass. Therefore, although users 
must download 10.0.4 to obtain a version that includes a fix for this 
issue, version 10.0.3 is not included in the list of affected versions.

Credit:
The Apache Tomcat Security Team would like to thank:
- Thomas Wozenilek for originally reporting this issue
- David Frankson of Infinite Campus for providing a test case that
   reproduced the issue.

History:
2021-09-15 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org