RE: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL]
It has to do with not releasing http websocket connections properly. So its both. We just had to upgrade to 9.0.53 on everything because of this. ​ Shawn Beard• Sr. Systems Engineer Middleware Engineering [cid:image852868.png@BE68D2F7.0F762FA2] 3840 109th Street , Urbandale , IA 50322 Phone: +1-515-564-2528 Email: sbe...@wrberkley.com<mailto:sbe...@wrberkley.com> Website: https://berkleytechnologyservices.com/ [cid:image544710.jpg@E9DE55D0.0D0A7FFA] Technology Leadership Unleashing Business Potential -Original Message- From: James H. H. Lampert Sent: Monday, December 6, 2021 1:29 PM To: Tomcat Users List Subject: Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL] ** CAUTION: External message On 10/14/21 7:12 AM, Mark Thomas wrote: > The fix for bug 63362 introduced a memory leak. The object introduced > to collect metrics for HTTP upgrade connections was not released for > WebSocket connections once the WebSocket connection was closed. This > created a memory leak that, over time, could lead to a denial of > service via an OutOfMemoryError. Question: Is this even an issue if the Tomcat is configured to *only* listen on 443, and rejects non-HTTPS connections outright? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS
On 10/14/21 7:12 AM, Mark Thomas wrote: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Question: Is this even an issue if the Tomcat is configured to *only* listen on 443, and rejects non-HTTPS connections outright? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2021-42340 Apache Tomcat DoS
CVE-2021-42340 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M6 or later - Upgrade to Apache Tomcat 10.0.12 or later - Upgrade to Apache Tomcat 9.0.54 or later - Upgrade to Apache Tomcat 8.5.72 or later History: 2021-10-14 Original advisory 2021-10-14 Correct CVE reference in body of advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2021-42340 Apache Tomcat DoS
CVE-2021-41079 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M5 Apache Tomcat 10.0.0-M10 to 10.0.11 Apache Tomcat 9.0.40 to 9.0.53 Apache Tomcat 8.5.60 to 8.5.71 Description: The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M6 or later - Upgrade to Apache Tomcat 10.0.12 or later - Upgrade to Apache Tomcat 9.0.54 or later - Upgrade to Apache Tomcat 8.5.72 or later History: 2021-10-14 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
