Re: [thredds] [SECURITY] CVE-2021-42340 Apache Tomcat DoS

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: Re: [thredds] [SECURITY] CVE-2021-42340 Apache Tomcat DoS
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Fri, 15 Oct 2021 14:05:41 -0600
Hello all,

Please upgrade your tomcat servers to the latest releases available:
http://tomcat.apache.org/


On Thu, Oct 14, 2021 at 8:19 AM Mark Thomas <markt@xxxxxxxxxx> wrote:

> CVE-2021-42340 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0-M5
> Apache Tomcat 10.0.0-M10 to 10.0.11
> Apache Tomcat 9.0.40 to 9.0.53
> Apache Tomcat 8.5.60 to 8.5.71
>
> Description:
> The fix for bug 63362 introduced a memory leak. The object introduced to
> collect metrics for HTTP upgrade connections was not released for
> WebSocket connections once the WebSocket connection was closed. This
> created a memory leak that, over time, could lead to a denial of service
> via an OutOfMemoryError.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.1.0-M6 or later
> - Upgrade to Apache Tomcat 10.0.12 or later
> - Upgrade to Apache Tomcat 9.0.54 or later
> - Upgrade to Apache Tomcat 8.5.72 or later
>
> History:
> 2021-10-14 Original advisory
> 2021-10-14 Correct CVE reference in body of advisory
>
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
>
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: