===================================================================== CERT-Renater Note d'Information No. 2021/VULN481 _____________________________________________________________________ DATE : 16/09/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 10.0.4, 9.0.44, 8.5.64. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/202109.mbox/%3ce1079445-c7b5-c4b0-3155-85c4cfc839ea@apache.org%3e _____________________________________________________________________ CVE-2021-41079 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.2 Apache Tomcat 9.0.0-M1 to 9.0.43 Apache Tomcat 8.5.0 to 8.5.63 Description: When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.4 or later - Upgrade to Apache Tomcat 9.0.44 or later - Upgrade to Apache Tomcat 8.5.64 or later Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote for the 10.0.3 release candidate did not pass. Therefore, although users must download 10.0.4 to obtain a version that includes a fix for this issue, version 10.0.3 is not included in the list of affected versions. Credit: The Apache Tomcat Security Team would like to thank: - Thomas Wozenilek for originally reporting this issue - David Frankson of Infinite Campus for providing a test case that reproduced the issue. History: 2021-09-15 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================