[thredds] Fwd: [SECURITY] CVE-2021-30639 Apache Tomcat DoS

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Mon, 12 Jul 2021 11:18:21 -0600
A few new Tomcat CVEs came out today, 2 of which have a severity of
'important' (including the attached).

Please upgrade your Tomcat installations.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Jul 12, 2021 at 7:14 AM
Subject: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>

CVE-2021-30639 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64

An error introduced as part of a change to improve error handling during
non-blocking I/O meant that the error flag associated with the Request
object was not reset between requests. This meant that once a
non-blocking I/O error occurred, all future requests handled by that
request object would fail. Users were able to trigger non-blocking I/O
errors, e.g. by dropping a connection, thereby creating the possibility
of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later

2021-07-12 Original advisory

[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: