Bug 1188280 - (CVE-2021-30639) VUL-0: CVE-2021-30639: tomcat6,tomcat: remote denial of service caused by 'improved' error handling
VUL-0: CVE-2021-30639: tomcat6,tomcat: remote denial of service caused by 'im...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-07-13 14:59 UTC by Robert Frohl
Modified: 2021-10-27 11:53 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-07-13 14:59:55 UTC

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial
of service. An error introduced as part of a change to improve error handling
during non-blocking I/O meant that the error flag associated with the Request
object was not reset between requests. This meant that once a non-blocking I/O
error occurred, all future requests handled by that request object would fail.
Users were able to trigger non-blocking I/O errors, e.g. by dropping a
connection, thereby creating the possibility of triggering a DoS. Applications
that do not use non-blocking I/O are not exposed to this vulnerability. This
issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Comment 1 Abid Mehmood 2021-09-29 12:20:18 UTC
This issue was introduced because of refactoring https://github.com/apache/tomcat/commit/3082475acb55e9b0aaa17600b498c30189e20eca but that refactoring is not part of any of the tomcat versions that we have. So in our case, none of the tomcats is affected by this CVE.

How should we proceed with such CVEs?
Comment 3 Robert Frohl 2021-10-27 11:53:57 UTC