If you are using the NIO or NIO connectors in Tomcat, please upgrade at
your earliest convenience.
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Sep 15, 2021 at 11:53 AM
Subject: [SECURITY] CVE-2021-41079 Apache Tomcat DoS
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>
CVE-2021-41079 Denial of Service
Vendor: The Apache Software Foundation
Apache Tomcat 10.0.0-M1 to 10.0.2
Apache Tomcat 9.0.0-M1 to 9.0.43
Apache Tomcat 8.5.0 to 8.5.63
When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a
specially crafted packet could be used to trigger an infinite loop
resulting in a denial of service.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 10.0.4 or later
- Upgrade to Apache Tomcat 9.0.44 or later
- Upgrade to Apache Tomcat 8.5.64 or later
Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote
for the 10.0.3 release candidate did not pass. Therefore, although users
must download 10.0.4 to obtain a version that includes a fix for this
issue, version 10.0.3 is not included in the list of affected versions.
The Apache Tomcat Security Team would like to thank:
- Thomas Wozenilek for originally reporting this issue
- David Frankson of Infinite Campus for providing a test case that
reproduced the issue.
2021-09-15 Original advisory