===================================================================== CERT-Renater Note d'Information No. 2021/VULN536 _____________________________________________________________________ DATE : 15/10/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 10.1.0-M6, 10.0.12, 9.0.54, 8.5.72. ===================================================================== https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E _____________________________________________________________________ CVE-2021-42340 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M6 or later - Upgrade to Apache Tomcat 10.0.12 or later - Upgrade to Apache Tomcat 9.0.54 or later - Upgrade to Apache Tomcat 8.5.72 or later History: 2021-10-14 Original advisory 2021-10-14 Correct CVE reference in body of advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================