You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2021/07/12 13:03:15 UTC
[SECURITY] CVE-2021-30639 Apache Tomcat DoS
CVE-2021-30639 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64
Description:
An error introduced as part of a change to improve error handling during
non-blocking I/O meant that the error flag associated with the Request
object was not reset between requests. This meant that once a
non-blocking I/O error occurred, all future requests handled by that
request object would fail. Users were able to trigger non-blocking I/O
errors, e.g. by dropping a connection, thereby creating the possibility
of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this
vulnerability.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later
History:
2021-07-12 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
Posted by jo...@wellsfargo.com.INVALID.
Corrected Numbers. Subtract 3667 desktops from the 8.5.64 numbers.
8.5.64
DISCOVERED_VERSION
(Multiple Items)
ASSET_CLAS_DS
DESKTOP
Row Labels
Count of CI_NM_HOST
(blank)
3667
Grand Total
3667
Distributed Servers:
DISCOVERED_VERSION
(Multiple Items)
ASSET_CLAS_DS
DISTRIBUTED SERVERS
Row Labels
Count of CI_NM_HOST
CICCT-IVR-TECH
2
COMMONCHANNELINFRASTRUCTURE
6
CSG-DISTRIBUTEDSUPPORT
4
EFT-PLATMGMT-HROPERATIONSUPPOR
3
EFT-SPECSVCS-FINANCIALS;FST-SYSTEMARCHITECTURE
1
EIS-IPT-INFRACRYPTO;PLATMGMT-MWS-SERVICES
1
EPA-EBSPRODUCTIONAVAIL
1
FST-SYSTEMARCHITECTURE
1
NOMIDDLEWARE
110
NOMIDDLEWARE;PLATMGMT-MWS-SERVICES
1
PAC2000DEVELOPMENT
31
PAC2000-PLATFORMSUPPORT
1
PLATMGMT-MWS-SERVICES
52
PLATMGMT-MWS-SERVICES;ITECH-DOCUMENTUMSERVICES
9
QUALITYASSURANCE-INFRA
1
WFFISTHIRDPARTYAPPS
3
WHLSEQFINFOLEASE
1
WHLSTECHFXENGINEERING
7
WHLSTECHWMSMWSPECIALTYSVCS
1
WHLSWFGATEWAY
3
WHLSWFSCACHESERVICES
2
WHLSWFSPLANTMWSERVICES
1
(blank)
30
Grand Total
272
9.0.44
0 desktops
Distributed Servers:
DISCOVERED_VERSION
(Multiple Items)
ASSET_CLAS_DS
DISTRIBUTED SERVERS
Row Labels
Count of CI_NM_HOST
EFT-SPECSVCS-FINANCIALS;FST-SYSTEMARCHITECTURE
4
EIS-IPT-INFRACRYPTO;PLATMGMT-MWS-SERVICES
2
EPR-TECH-TOOLS
4
FST-SYSTEMARCHITECTURE
2
INTERNET.BANKING
119
INTERNET.BANKING;NOMIDDLEWARE
2
ISD-CONFIGURATIONMANAGEMENT
124
NOMIDDLEWARE
38
NOMIDDLEWARE;INTERNET.BANKING
2
PLATMGMT-MWS-SERVICES
16
WHLSTECHCRISP
1
WHLSWFSCACHESERVICES
3
WHLSWFSFIDATASERVICES
1
(blank)
8
Grand Total
326
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Monday, July 12, 2021 8:03 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: announce@tomcat.apache.org; announce@apache.org; Tomcat
> Developers List <de...@tomcat.apache.org>
> Subject: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
> Importance: High
>
> CVE-2021-30639 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.3 to 10.0.4
> Apache Tomcat 9.0.44
> Apache Tomcat 8.5.64
>
> Description:
> An error introduced as part of a change to improve error handling during
> non-blocking I/O meant that the error flag associated with the Request
> object was not reset between requests. This meant that once a non-blocking
> I/O error occurred, all future requests handled by that request object would
> fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a
> connection, thereby creating the possibility of triggering a DoS.
> Applications that do not use non-blocking I/O are not exposed to this
> vulnerability.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.5 or later
> - Upgrade to Apache Tomcat 9.0.45 or later
> - Upgrade to Apache Tomcat 8.5.65 or later
>
> History:
> 2021-07-12 Original advisory
>
> References:
> [1] https://urldefense.com/v3/__https://tomcat.apache.org/security-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$>
> 10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$>
> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$<https://urldefense.com/v3/__https:/tomcat.apache.org/security-10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$>
> [2] https://urldefense.com/v3/__https://tomcat.apache.org/security-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$>
> 9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$>
> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$<https://urldefense.com/v3/__https:/tomcat.apache.org/security-9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$>
> [3] https://urldefense.com/v3/__https://tomcat.apache.org/security-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$>
> 8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$>
> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$<https://urldefense.com/v3/__https:/tomcat.apache.org/security-8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org> For additional
> commands, e-mail: dev-help@tomcat.apache.org<ma...@tomcat.apache.org>
RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
Posted by jo...@wellsfargo.com.INVALID.
Corrected Numbers. Subtract 3667 desktops from the 8.5.64 numbers.
8.5.64
DISCOVERED_VERSION
(Multiple Items)
ASSET_CLAS_DS
DESKTOP
Row Labels
Count of CI_NM_HOST
(blank)
3667
Grand Total
3667
Distributed Servers:
DISCOVERED_VERSION
(Multiple Items)
ASSET_CLAS_DS
DISTRIBUTED SERVERS
Row Labels
Count of CI_NM_HOST
CICCT-IVR-TECH
2
COMMONCHANNELINFRASTRUCTURE
6
CSG-DISTRIBUTEDSUPPORT
4
EFT-PLATMGMT-HROPERATIONSUPPOR
3
EFT-SPECSVCS-FINANCIALS;FST-SYSTEMARCHITECTURE
1
EIS-IPT-INFRACRYPTO;PLATMGMT-MWS-SERVICES
1
EPA-EBSPRODUCTIONAVAIL
1
FST-SYSTEMARCHITECTURE
1
NOMIDDLEWARE
110
NOMIDDLEWARE;PLATMGMT-MWS-SERVICES
1
PAC2000DEVELOPMENT
31
PAC2000-PLATFORMSUPPORT
1
PLATMGMT-MWS-SERVICES
52
PLATMGMT-MWS-SERVICES;ITECH-DOCUMENTUMSERVICES
9
QUALITYASSURANCE-INFRA
1
WFFISTHIRDPARTYAPPS
3
WHLSEQFINFOLEASE
1
WHLSTECHFXENGINEERING
7
WHLSTECHWMSMWSPECIALTYSVCS
1
WHLSWFGATEWAY
3
WHLSWFSCACHESERVICES
2
WHLSWFSPLANTMWSERVICES
1
(blank)
30
Grand Total
272
9.0.44
0 desktops
Distributed Servers:
DISCOVERED_VERSION
(Multiple Items)
ASSET_CLAS_DS
DISTRIBUTED SERVERS
Row Labels
Count of CI_NM_HOST
EFT-SPECSVCS-FINANCIALS;FST-SYSTEMARCHITECTURE
4
EIS-IPT-INFRACRYPTO;PLATMGMT-MWS-SERVICES
2
EPR-TECH-TOOLS
4
FST-SYSTEMARCHITECTURE
2
INTERNET.BANKING
119
INTERNET.BANKING;NOMIDDLEWARE
2
ISD-CONFIGURATIONMANAGEMENT
124
NOMIDDLEWARE
38
NOMIDDLEWARE;INTERNET.BANKING
2
PLATMGMT-MWS-SERVICES
16
WHLSTECHCRISP
1
WHLSWFSCACHESERVICES
3
WHLSWFSFIDATASERVICES
1
(blank)
8
Grand Total
326
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Monday, July 12, 2021 8:03 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: announce@tomcat.apache.org; announce@apache.org; Tomcat
> Developers List <de...@tomcat.apache.org>
> Subject: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
> Importance: High
>
> CVE-2021-30639 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.3 to 10.0.4
> Apache Tomcat 9.0.44
> Apache Tomcat 8.5.64
>
> Description:
> An error introduced as part of a change to improve error handling during
> non-blocking I/O meant that the error flag associated with the Request
> object was not reset between requests. This meant that once a non-blocking
> I/O error occurred, all future requests handled by that request object would
> fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a
> connection, thereby creating the possibility of triggering a DoS.
> Applications that do not use non-blocking I/O are not exposed to this
> vulnerability.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.5 or later
> - Upgrade to Apache Tomcat 9.0.45 or later
> - Upgrade to Apache Tomcat 8.5.65 or later
>
> History:
> 2021-07-12 Original advisory
>
> References:
> [1] https://urldefense.com/v3/__https://tomcat.apache.org/security-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$>
> 10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$>
> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$<https://urldefense.com/v3/__https:/tomcat.apache.org/security-10.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHTxMsAPk$>
> [2] https://urldefense.com/v3/__https://tomcat.apache.org/security-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$>
> 9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$>
> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$<https://urldefense.com/v3/__https:/tomcat.apache.org/security-9.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHlx3lbrs$>
> [3] https://urldefense.com/v3/__https://tomcat.apache.org/security-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$>
> 8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-<https://urldefense.com/v3/__https:/tomcat.apache.org/security-8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$>
> p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$<https://urldefense.com/v3/__https:/tomcat.apache.org/security-8.html__;!!F9svGWnIaVPGSwU!607UY9zjZTjuJp8fhq-p_3YkZV7gfGSmtkc7KbT-xIJEPa6eFDluFkSy1N7PMtUHByRj6N8$>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org> For additional
> commands, e-mail: dev-help@tomcat.apache.org<ma...@tomcat.apache.org>