CVE-2021-42340

CWE-77211 documents8 sources
Severity
7.5HIGH
EPSS
5.7%
top 9.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
16
Apache TomcatOracle BIG Data Spatial AND GraphOracle Communications Diameter Signaling Router+13 more
Timeline
PublishedOct 14
Latest updateJul 15

Description

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages17 packages

NVDapache/tomcat8.5.608.5.72+4
Mavenorg.apache.tomcat:tomcat10.1.0-M110.1.0-M6+3
Debiantomcat9< 9.0.43-2~deb11u3+3

Also affects: Debian Linux 11.0

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Missing Release of Resource after Effective Lifetime in Apache Tomcat2021-10-15
GHSA
Missing Release of Resource after Effective Lifetime in Apache Tomcat2021-10-15
CVEList
DoS via memory leak with WebSocket connections2021-10-14
OSV
CVE-2021-42340: The fix for bug 63362 present in Apache Tomcat 102021-10-14

📋Vendor Advisories

6
Oracle
Oracle Oracle Big Data Graph Risk Matrix: Big Data Graph (Apache Tomcat) — CVE-2021-423402022-07-15
Oracle
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (Apache Tomcat) — CVE-2021-423402022-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Apache Tomcat) — CVE-2021-423402022-01-15
Red Hat
tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS2021-10-14
Debian
CVE-2021-42340: tomcat9 - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1...2021