Bug 1188280 - (CVE-2021-30639) VUL-0: CVE-2021-30639: tomcat6,tomcat: remote denial of service caused by 'improved' error handling
(CVE-2021-30639)
VUL-0: CVE-2021-30639: tomcat6,tomcat: remote denial of service caused by 'im...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/303831/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-13 14:59 UTC by Robert Frohl
Modified: 2021-10-27 11:53 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-07-13 14:59:55 UTC
CVE-2021-30639

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial
of service. An error introduced as part of a change to improve error handling
during non-blocking I/O meant that the error flag associated with the Request
object was not reset between requests. This meant that once a non-blocking I/O
error occurred, all future requests handled by that request object would fail.
Users were able to trigger non-blocking I/O errors, e.g. by dropping a
connection, thereby creating the possibility of triggering a DoS. Applications
that do not use non-blocking I/O are not exposed to this vulnerability. This
issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30639
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E
Comment 1 Abid Mehmood 2021-09-29 12:20:18 UTC
This issue was introduced because of refactoring https://github.com/apache/tomcat/commit/3082475acb55e9b0aaa17600b498c30189e20eca but that refactoring is not part of any of the tomcat versions that we have. So in our case, none of the tomcats is affected by this CVE.

@Robert,
How should we proceed with such CVEs?
Comment 3 Robert Frohl 2021-10-27 11:53:57 UTC
closing