Bug 2014356 (CVE-2021-42340)

Summary: CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
Product: [Other] Security Response Reporter: Ted Jongseok Won <jwon>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, alee, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cbuissar, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eleandro, etirelli, fjuma, ggaughan, gmalinko, gzaronikas, gzaronik, huwang, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jclere, jjoyce, jochrist, jolee, jpallich, jperkins, jrokos, jschatte, jschluet, jstastny, jwon, krathod, krzysztof.daniel, kverlaen, kwills, kyoshida, lgao, lhh, lpeer, lthon, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, nwallace, pdelbell, peholase, pgallagh, pjindal, pmackay, rguimara, rhcs-maint, rrajasek, rruss, rstancel, rsvoboda, sclewis, scohen, security-response-team, slinaber, smaestri, szappis, tom.jenkinson, tzimanyi, yaoli, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 10.1.0-M6, tomcat 10.0.12, tomcat 9.0.54, tomcat 8.5.72 Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-07 19:12:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2014926, 2014927, 2014928    
Bug Blocks: 2014348    

Description Ted Jongseok Won 2021-10-15 02:13:09 UTC 
Apache Tomcat did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. This issue affects the version of Apache Tomcat 10.1.0-M1 to 10.1.0-M5; Apache Tomcat 10.0.0-M10 to 10.0.11; Apache Tomcat 9.0.40 to 9.0.53; Apache Tomcat 8.5.60 to 8.5.71.

Upstream commits:
Tomcat 10.1: https://github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db7810371
Tomcat 10.0: https://github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90b4fb9
Tomcat 9.0: https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d259eb47
Tomcat 8.5: https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476aa6b6a

Reference:
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
Comment 2 Doran Moppert 2021-10-15 02:42:05 UTC 
Introduced by: https://bz.apache.org/bugzilla/show_bug.cgi?id=63362
Comment 4 Jonathan Christison 2021-10-15 09:33:36 UTC 
Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low.

The same also applies to Red Hat Fuse 7.

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Doran Moppert 2021-10-18 01:23:07 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2014926]


Created tomcat:master/tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2014927]
Comment 15 errata-xmlrpc 2021-11-30 14:25:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:4863 https://access.redhat.com/errata/RHSA-2021:4863
Comment 16 errata-xmlrpc 2021-11-30 14:25:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.6 on RHEL 7
  Red Hat JBoss Web Server 5.6 on RHEL 8

Via RHSA-2021:4861 https://access.redhat.com/errata/RHSA-2021:4861
Comment 22 Product Security DevOps Team 2022-01-07 19:11:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42340
Comment 23 errata-xmlrpc 2022-04-12 19:07:08 UTC 
This issue has been addressed in the following products:

  Red Hat Support for Spring Boot 2.5.10

Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
Comment 24 errata-xmlrpc 2022-07-07 14:21:32 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 31 Sandipan Roy 2023-06-16 03:54:36 UTC 
RHEL 9 Errata:
https://access.redhat.com/errata/RHBA-2022:8077