Bug 1191789 - (CVE-2021-42340) VUL-0: CVE-2021-42340: tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
(CVE-2021-42340)
VUL-0: CVE-2021-42340: tomcat: OutOfMemoryError caused by HTTP upgrade connec...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Abid Mehmood
Security Team bot
https://smash.suse.de/issue/312619/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-18 14:55 UTC by Thomas Leroy
Modified: 2021-11-09 12:19 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-10-18 14:55:29 UTC
rh#2014356

Apache Tomcat did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. This issue affects the version of Apache Tomcat 10.1.0-M1 to 10.1.0-M5; Apache Tomcat 10.0.0-M10 to 10.0.11; Apache Tomcat 9.0.40 to 9.0.53; Apache Tomcat 8.5.60 to 8.5.71.

Upstream commits:
Tomcat 10.1: https://github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db7810371
Tomcat 10.0: https://github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90b4fb9
Tomcat 9.0: https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d259eb47
Tomcat 8.5: https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476aa6b6a

Reference:
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2014356
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42340
http://seclists.org/oss-sec/2021/q4/31
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
Comment 1 Thomas Leroy 2021-10-18 14:57:13 UTC
Not affecting SLE or openSUSE, closing.