CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
apachetomcat
8.5.60 ≤
𝑥
< 8.5.72
apachetomcat
9.0.40 ≤
𝑥
< 9.0.54
apachetomcat
10.0.1 ≤
𝑥
< 10.0.12
apachetomcat
10.0.0:milestone10
apachetomcat
10.1.0:milestone1
apachetomcat
10.1.0:milestone2
apachetomcat
10.1.0:milestone3
apachetomcat
10.1.0:milestone4
apachetomcat
10.1.0:milestone5
netapphci
-
netappmanagement_services_for_element_software
-
debiandebian_linux
11.0
oracleagile_engineering_data_management
6.2.1.0
oraclebig_data_spatial_and_graph
𝑥
< 23.1
oraclecommunications_diameter_signaling_router
8.0.0.0 ≤
𝑥
≤ 8.5.0.2
oraclehospitality_cruise_shipboard_property_management_system
20.1.0
oraclemanaged_file_transfer
12.2.1.3.0
oraclemanaged_file_transfer
12.2.1.4.0
oraclemiddleware_common_libraries_and_tools
12.2.1.4.0
oraclepayment_interface
19.1
oraclepayment_interface
20.3
oracleretail_customer_insights
15.0.2
oracleretail_customer_insights
16.0.2
oracleretail_data_extractor_for_merchandising
15.0.2
oracleretail_data_extractor_for_merchandising
16.0.2
oracleretail_eftlink
21.0.0
oracleretail_financial_integration
16.0.1
oracleretail_financial_integration
19.0.0
oracleretail_store_inventory_management
14.0.4.13
oracleretail_store_inventory_management
14.1.3.5
oracleretail_store_inventory_management
14.1.3.14
oracleretail_store_inventory_management
15.0.3.3
oracleretail_store_inventory_management
15.0.3.8
oracleretail_store_inventory_management
16.0.3.7
oraclesd-wan_edge
9.0
oraclesd-wan_edge
9.1
oracletaleo_platform
*
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
fixed
buster
not-affected
stretch
not-affected
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat8
bionic
needed
xenial
needed
trusty
ignored
tomcat9
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
focal
needed
bionic
needed
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://kc.mcafee.com/corporate/index?page=content&id=SB10379
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20211104-0001/
https://www.debian.org/security/2021/dsa-5009
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://kc.mcafee.com/corporate/index?page=content&id=SB10379
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20211104-0001/
https://www.debian.org/security/2021/dsa-5009
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html