CVE-2021-42340: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Affected

36 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	tomcat	—	—
apache	tomcat	—	—
apache	tomcat	—	—
apache	tomcat	>= 10.0.1 < 10.0.12	10.0.12
apache	tomcat	>= 8.5.60 < 8.5.72	8.5.72
apache	tomcat	>= 9.0.40 < 9.0.54	9.0.54
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
debian	debian_linux	—	—
debian	tomcat9	< tomcat9 9.0.54-1 (bookworm)	tomcat9 9.0.54-1 (bookworm)
oracle	agile_engineering_data_management	—	—
oracle	big_data_spatial_and_graph	< 23.1	23.1
oracle	communications_diameter_signaling_router	8.0.0.0 – 8.5.0.2	—
oracle	hospitality_cruise_shipboard_property_management_system	—	—
oracle	managed_file_transfer	—	—
oracle	managed_file_transfer	—	—
oracle	middleware_common_libraries_and_tools	—	—
oracle	payment_interface	—	—
oracle	payment_interface	—	—
oracle	retail_customer_insights	—	—
oracle	retail_customer_insights	—	—
oracle	retail_data_extractor_for_merchandising	—	—
oracle	retail_data_extractor_for_merchandising	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH