[
https://issues.apache.org/jira/browse/OFBIZ-12337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12337:
------------------------------------
Parent: OFBIZ-1525
Issue Type: Sub-task (was: Improvement)
> [SECURITY] CVE-2021-42340 Apache Tomcat DoS
> -------------------------------------------
>
> Key: OFBIZ-12337
> URL: https://issues.apache.org/jira/browse/OFBIZ-12337
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/base
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> CVE-2021-42340 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0-M5
> Apache Tomcat 10.0.0-M10 to 10.0.11
> Apache Tomcat 9.0.40 to 9.0.53
> Apache Tomcat 8.5.60 to 8.5.71
> Description:
> The fix for bug 63362 introduced a memory leak. The object introduced to
> collect metrics for HTTP upgrade connections was not released for WebSocket
> connections once the WebSocket connection was closed. This created a memory
> leak that, over time, could lead to a denial of service via an
> OutOfMemoryError.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.1.0-M6 or later
> - Upgrade to Apache Tomcat 10.0.12 or later
> - Upgrade to Apache Tomcat 9.0.54 or later
> - Upgrade to Apache Tomcat 8.5.72 or later
> History:
> 2021-10-14 Original advisory
> 2021-10-14 Correct CVE reference in body of advisory
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
