The Apache Software Foundation has patched an Apache Tomcat Denial of Service (DoS) vulnerability CVE-2021-42340 that may lead to a memory leak and over time a denial of service condition.
A cyber attacker could exploit this vulnerability to access sensitive information.
Apache described the problem as related to the memory leak flaw:
“The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.Apache Software Foundation
Affected versions include Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M10 to 10.0.11, 9.0.40 to 9.0.53, and 8.5.60 to 8.5.71.
As noted in the Apache advisory, administrators should upgrade to one of the following Apache Tomcat versions:
- 10.1.0-M6 or later
- 10.0.12 or later
- 9.0.54 or later
- 8.5.72 or later.
- Apache HTTP Server Project patches vulnerability (CVE-2021-41773) exploited in the wild
- Apache patches Tomcat vulnerability (CVE-2021-24122)
- Apache patches Struts 2 RCE vulnerability (CVE-2020-17530)
- Apache patches Tomcat HTTP/2 Request header mix-up vulnerability (CVE-2020-17527)
- Apache patches Tomcat HTTP/2 Request mix-up vulnerability (CVE-2020-13943)