Bug 2130599 (CVE-2021-43980)

Summary: CVE-2021-43980 Apache Tomcat: Information disclosure
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alee, aogburn, chazlett, coolsvap, csutherl, gzaronikas, ivan.afonichev, java-sig-commits, jclere, jwon, krzysztof.daniel, mmadzin, nagetsum, peholase, pjindal, rhcs-maint, szappis, trathi, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Tomcat 10.1.0-M14, Tomcat 10.0.20, Tomcat 9.0.62, Tomcat 8.5.78 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133649, 2133650, 2133652, 2133653    
Bug Blocks: 2130601    

Description Sage McTaggart 2022-09-28 15:08:46 UTC 
Severity: important

Description:

The simplified implementation of blocking reads and writes introduced in 
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long 
standing (but extremely hard to trigger) concurrency bug in Apache 
Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 
and 8.5.0 to 8.5.77 that could cause client connections to share an 
Http11Processor instance resulting in responses, or part responses, to 
be received by the wrong client.

Credit:

Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for 
discovering the issue and working with the Tomcat security team to 
identify the root cause and appropriate fix.

References:

https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
Comment 3 TEJ RATHI 2022-10-11 05:20:27 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2133649]
Affects: fedora-all [bug 2133650]