Bug 2130599 (CVE-2021-43980) - CVE-2021-43980 Apache Tomcat: Information disclosure
Summary: CVE-2021-43980 Apache Tomcat: Information disclosure
Status: NEW
Alias: CVE-2021-43980
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2133649 2133650 2133652 2133653
Blocks: 2130601
TreeView+ depends on / blocked
Reported: 2022-09-28 15:08 UTC by Sage McTaggart
Modified: 2023-07-07 08:35 UTC (History)
20 users (show)

Fixed In Version: Tomcat 10.1.0-M14, Tomcat 10.0.20, Tomcat 9.0.62, Tomcat 8.5.78
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Sage McTaggart 2022-09-28 15:08:46 UTC
Severity: important


The simplified implementation of blocking reads and writes introduced in 
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long 
standing (but extremely hard to trigger) concurrency bug in Apache 
Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 
and 8.5.0 to 8.5.77 that could cause client connections to share an 
Http11Processor instance resulting in responses, or part responses, to 
be received by the wrong client.


Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for 
discovering the issue and working with the Tomcat security team to 
identify the root cause and appropriate fix.



Comment 3 TEJ RATHI 2022-10-11 05:20:27 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2133649]
Affects: fedora-all [bug 2133650]

Note You need to log in before you can comment on or make changes to this bug.