Apache Tomcat did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. This issue affects the version of Apache Tomcat 10.0.0-M1 to 10.0.2; 9.0.0-M1 to 9.0.43; 8.5.0 to 8.5.63. Upstream commits: Tomcat 10.0.4: https://github.com/apache/tomcat/commit/34115fb3c83f6cd97772232316a492a4cc5729e0 Tomcat 9.0.44: https://github.com/apache/tomcat/commit/d4b340fa8feaf55831f9a59350578f7b6ca048b8 Tomcat 8.5.64: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822 Reference: https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E
Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low. The same also applies to Red Hat Fuse 7. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Additional references: https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.4 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.64
Tomcat packages as shipped with Red Hat Enterprise Linux 7 and earlier are not affected, as they do not include the affected OpenSSLEngine. It seems support for the OpenSSL engine for JSSE was introduced in Tomcat version 8.5.0: https://tomcat.apache.org/whichversion.html#Apache_Tomcat_8.x The section for "Apache Tomcat 8.5.x" notes: Adds support for using OpenSSL for TLS support with the JSSE connectors (NIO and NIO2)
Created tomcat:master/tomcat tracking bugs for this issue: Affects: fedora-all [bug 2005887]
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.5 on RHEL 7 Red Hat JBoss Web Server 5.5 on RHEL 8 Via RHSA-2021:3741 https://access.redhat.com/errata/RHSA-2021:3741
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:3743 https://access.redhat.com/errata/RHSA-2021:3743
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41079
This issue has been addressed in the following products: Red Hat Support for Spring Boot 2.5.10 Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532