Bug 2014356 (CVE-2021-42340) - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
Summary: CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection lea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-42340
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2014926 2014927 2014928
Blocks: 2014348
TreeView+ depends on / blocked
 
Reported: 2021-10-15 02:13 UTC by Ted Jongseok Won
Modified: 2023-12-06 13:57 UTC (History)
85 users (show)

Fixed In Version: tomcat 10.1.0-M6, tomcat 10.0.12, tomcat 9.0.54, tomcat 8.5.72
Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2022-01-07 19:12:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4861 0 None None None 2021-11-30 14:25:59 UTC
Red Hat Product Errata RHSA-2021:4863 0 None None None 2021-11-30 14:25:49 UTC
Red Hat Product Errata RHSA-2022:1179 0 None None None 2022-04-12 19:07:13 UTC
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:21:36 UTC

Description Ted Jongseok Won 2021-10-15 02:13:09 UTC 
Apache Tomcat did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. This issue affects the version of Apache Tomcat 10.1.0-M1 to 10.1.0-M5; Apache Tomcat 10.0.0-M10 to 10.0.11; Apache Tomcat 9.0.40 to 9.0.53; Apache Tomcat 8.5.60 to 8.5.71.

Upstream commits:
Tomcat 10.1: https://github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db7810371
Tomcat 10.0: https://github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90b4fb9
Tomcat 9.0: https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d259eb47
Tomcat 8.5: https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476aa6b6a

Reference:
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
Comment 2 Doran Moppert 2021-10-15 02:42:05 UTC 
Introduced by: https://bz.apache.org/bugzilla/show_bug.cgi?id=63362
Comment 4 Jonathan Christison 2021-10-15 09:33:36 UTC 
Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low.

The same also applies to Red Hat Fuse 7.

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Doran Moppert 2021-10-18 01:23:07 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2014926]


Created tomcat:master/tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2014927]
Comment 15 errata-xmlrpc 2021-11-30 14:25:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:4863 https://access.redhat.com/errata/RHSA-2021:4863
Comment 16 errata-xmlrpc 2021-11-30 14:25:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.6 on RHEL 7
  Red Hat JBoss Web Server 5.6 on RHEL 8

Via RHSA-2021:4861 https://access.redhat.com/errata/RHSA-2021:4861
Comment 22 Product Security DevOps Team 2022-01-07 19:11:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42340
Comment 23 errata-xmlrpc 2022-04-12 19:07:08 UTC 
This issue has been addressed in the following products:

  Red Hat Support for Spring Boot 2.5.10

Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
Comment 24 errata-xmlrpc 2022-07-07 14:21:32 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 31 Sandipan Roy 2023-06-16 03:54:36 UTC 
RHEL 9 Errata:
https://access.redhat.com/errata/RHBA-2022:8077
Note You need to log in before you can comment on or make changes to this bug.