Have you tested with a later release than 9.0.62? Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His
Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Martin Garbe <martin.ga...@limbus-medtec.com> > Sent: Monday, December 12, 2022 6:06 AM > To: users@tomcat.apache.org > Subject: CVE-2021-43980 completely fixed? > > Hello all, > > we use tomcat 9.0.62 in our environment and most likely hit the bug from > CVE-2021-43980 (which should be fixed in this version). > > Why do we think that we hit this bug? > > * > Since we refactored some e2e tests one test regularly fails because the client > receives packets that should never be received by this client. The received > packets belong to another TCP connection. > * > We did a wireshark dump and can confirm that the packets were sent by > tomcat. For a period of 4msec some packets are routed "into the wrong TCP > connection" by tomcat. > * > The bug seems to be triggered by some special timing + parallel processing > situation. > * > In the first step we assumed to hit a bug in AWS environment or TCP/IP stack > but then found the bug report for tomcat. > * We used tomcat 9.0.60 when hitting the bug. By upgrading to 9.0.62 the > bug kept appearing. Even 9.0.70 the bug exists. > * > We replaced tomcat with undertow and all e2e tests run fine. > > From our point of view, we have an environment/configuration which > triggers this bug very often 100%). > If you need anybody to test further fixes, then we can help you. Please let us > know. > > Best regards, > Martin Garbe --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org