Apache patches Tomcat DoS vulnerability (CVE-2021-42340)

Apache patches Tomcat DoS vulnerability (CVE-2021-42340)

The Apache Software Foundation has patched an Apache Tomcat Denial of Service (DoS) vulnerability CVE-2021-42340 that may lead to a memory leak and over time a denial of service condition.

A cyber attacker could exploit this vulnerability to access sensitive information.

Apache described the problem as related to the memory leak flaw:

“The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Apache Software Foundation

Affected versions include Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M10 to 10.0.11, 9.0.40 to 9.0.53, and 8.5.60 to 8.5.71.

As noted in the Apache advisory, administrators should upgrade to one of the following Apache Tomcat versions:

  • 10.1.0-M6 or later
  • 10.0.12 or later
  • 9.0.54 or later
  • 8.5.72 or later.

Related Articles