[thredds] Fwd: [SECURITY] CVE-2021-41079 Apache Tomcat DoS

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2021-41079 Apache Tomcat DoS
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Wed, 15 Sep 2021 12:12:54 -0600
If you are using the NIO or NIO connectors in Tomcat, please upgrade at
your earliest convenience.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Sep 15, 2021 at 11:53 AM
Subject: [SECURITY] CVE-2021-41079 Apache Tomcat DoS
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>

CVE-2021-41079 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.2
Apache Tomcat 9.0.0-M1 to 9.0.43
Apache Tomcat 8.5.0 to 8.5.63

When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a
specially crafted packet could be used to trigger an infinite loop
resulting in a denial of service.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 10.0.4 or later
- Upgrade to Apache Tomcat 9.0.44 or later
- Upgrade to Apache Tomcat 8.5.64 or later

Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote
for the 10.0.3 release candidate did not pass. Therefore, although users
must download 10.0.4 to obtain a version that includes a fix for this
issue, version 10.0.3 is not included in the list of affected versions.

The Apache Tomcat Security Team would like to thank:
- Thomas Wozenilek for originally reporting this issue
- David Frankson of Infinite Campus for providing a test case that
   reproduced the issue.

2021-09-15 Original advisory

[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: