2130599 – (CVE-2021-43980) CVE-2021-43980 Apache Tomcat: Information disclosure

Bug 2130599 (CVE-2021-43980) - CVE-2021-43980 Apache Tomcat: Information disclosure

Summary: CVE-2021-43980 Apache Tomcat: Information disclosure

Keywords:
Status:	NEW
Alias:	CVE-2021-43980
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2133649 2133650 2133652 2133653
Blocks:	2130601
TreeView+	depends on / blocked

Reported:	2022-09-28 15:08 UTC by Sage McTaggart
Modified:	2024-03-08 18:04 UTC (History)
CC List:	19 users (show)
Fixed In Version:	Tomcat 10.1.0-M14, Tomcat 10.0.20, Tomcat 9.0.62, Tomcat 8.5.78
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Sage McTaggart 2022-09-28 15:08:46 UTC

Severity: important

Description:

The simplified implementation of blocking reads and writes introduced in 
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long 
standing (but extremely hard to trigger) concurrency bug in Apache 
Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 
and 8.5.0 to 8.5.77 that could cause client connections to share an 
Http11Processor instance resulting in responses, or part responses, to 
be received by the wrong client.

Credit:

Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for 
discovering the issue and working with the Tomcat security team to 
identify the root cause and appropriate fix.

References:

https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Comment 3 TEJ RATHI 2022-10-11 05:20:27 UTC

Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2133649]
Affects: fedora-all [bug 2133650]

Note You need to log in before you can comment on or make changes to this bug.