You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID> on 2021/12/06 19:29:21 UTC
Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS
On 10/14/21 7:12 AM, Mark Thomas wrote:
> The fix for bug 63362 introduced a memory leak. The object introduced to
> collect metrics for HTTP upgrade connections was not released for
> WebSocket connections once the WebSocket connection was closed. This
> created a memory leak that, over time, could lead to a denial of service
> via an OutOfMemoryError.
Question:
Is this even an issue if the Tomcat is configured to *only* listen on
443, and rejects non-HTTPS connections outright?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL]
Posted by "Beard, Shawn" <SB...@wrberkley.com.INVALID>.
It has to do with not releasing http websocket connections properly. So its both. We just had to upgrade to 9.0.53 on everything because of this.
Shawn Beard • Sr. Systems Engineer
Middleware Engineering
[cid:image852868.png@BE68D2F7.0F762FA2]
3840 109th Street , Urbandale , IA 50322
Phone: +1-515-564-2528<tel:+1-515-564-2528>
Email: SBeard@wrberkley.com<ma...@wrberkley.com>
Website: https://berkleytechnologyservices.com/
[cid:image544710.jpg@E9DE55D0.0D0A7FFA]
Technology Leadership Unleashing Business Potential
-----Original Message-----
From: James H. H. Lampert <ja...@touchtonecorp.com.INVALID>
Sent: Monday, December 6, 2021 1:29 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL]
** CAUTION: External message
On 10/14/21 7:12 AM, Mark Thomas wrote:
> The fix for bug 63362 introduced a memory leak. The object introduced
> to collect metrics for HTTP upgrade connections was not released for
> WebSocket connections once the WebSocket connection was closed. This
> created a memory leak that, over time, could lead to a denial of
> service via an OutOfMemoryError.
Question:
Is this even an issue if the Tomcat is configured to *only* listen on 443, and rejects non-HTTPS connections outright?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.