{"containers": {"cna": {"affected": [{"product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Tomcat 10 10.0.3 to 10.0.4"}, {"status": "affected", "version": "Apache Tomcat 9 9.0.44"}, {"status": "affected", "version": "Apache Tomcat 8.5 8.5.64"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-21T04:06:54", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "[tomcat-users] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "GLSA-202208-34", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-34"}], "source": {"discovery": "UNKNOWN"}, "title": "DoS after non-blocking IO error", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-30639", "STATE": "PUBLIC", "TITLE": "DoS after non-blocking IO error"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Tomcat", "version": {"version_data": [{"version_affected": "=", "version_name": "Apache Tomcat 10", "version_value": "10.0.3 to 10.0.4"}, {"version_affected": "=", "version_name": "Apache Tomcat 9", "version_value": "9.0.44"}, {"version_affected": "=", "version_name": "Apache Tomcat 8.5", "version_value": "8.5.64"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "[tomcat-users] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cusers.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cdev.tomcat.apache.org%3E"}, {"name": "https://security.netapp.com/advisory/ntap-20210827-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "GLSA-202208-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-34"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:40:31.655Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "[tomcat-users] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "GLSA-202208-34", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-34"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-30639", "datePublished": "2021-07-12T14:55:12", "dateReserved": "2021-04-13T00:00:00", "dateUpdated": "2024-08-03T22:40:31.655Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:8.5.64:*:*:*:*:*:*:*", "matchCriteriaId": "957579EB-9220-4E0F-AAA7-8C3508F1B324", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.44:*:*:*:*:*:*:*", "matchCriteriaId": "EFF4A0C3-65AA-4B29-A5F7-343478672608", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "7F002FE3-E742-465B-97A3-D0A530E712C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "1CD1CF8D-350B-4C2D-B801-2FD780890340", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "A30F7908-5AF6-4761-BC6A-4C18EFAE48E5", "versionEndExcluding": "5.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*", "matchCriteriaId": "0F30D3AF-4FA3-4B7A-BE04-C24E2EA19A95", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*", "matchCriteriaId": "7B00DDE7-7002-45BE-8EDE-65D964922CB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*", "matchCriteriaId": "DB88C165-BB24-49FB-AAF6-087A766D5AD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*", "matchCriteriaId": "FF806B52-DAD5-4D12-8BB6-3CBF9DC6B8DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*", "matchCriteriaId": "7DE847E0-431D-497D-9C57-C4E59749F6A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*", "matchCriteriaId": "46385384-5561-40AA-9FDE-A2DE4FDFAD3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*", "matchCriteriaId": "B7CA7CA6-7CF2-48F6-81B5-69BA0A37EF4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*", "matchCriteriaId": "9E4E5481-1070-4E1F-8679-1985DE4E785A", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*", "matchCriteriaId": "D9EEA681-67FF-43B3-8610-0FA17FD279E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*", "matchCriteriaId": "C33BA8EA-793D-4E79-BE9C-235ACE717216", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*", "matchCriteriaId": "823DBE80-CB8D-4981-AE7C-28F3FDD40451", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*", "matchCriteriaId": "384DEDD9-CB26-4306-99D8-83068A9B23ED", "versionEndExcluding": "23.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64."}, {"lang": "es", "value": "Una vulnerabilidad en Apache Tomcat permite a un atacante desencadenar remotamente una denegaci\u00f3n de servicio. Un error introducido como parte de un cambio para mejorar el manejo de errores durante la I/O sin bloqueo significaba que el flag de error asociado al objeto Request no se restablec\u00eda entre peticiones. Esto significaba que una vez que se produc\u00eda un error de I/O sin bloqueo, todas las futuras peticiones manejadas por ese objeto de petici\u00f3n podr\u00edan producir un fallo. Unos usuarios pod\u00edan desencadenar errores de I/O sin bloqueo, por ejemplo, abandonando una conexi\u00f3n, creando as\u00ed la posibilidad de desencadenar una DoS. Las aplicaciones que no usan I/O sin bloqueo no est\u00e1n expuestas a esta vulnerabilidad. Este problema afecta a Apache Tomcat versiones 10.0.3 a 10.0.4; 9.0.44; 8.5.64"}], "id": "CVE-2021-30639", "lastModified": "2023-11-07T03:33:26.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-12T15:15:08.333", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-34"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "tomcat: non-blocking I/O error flag is not reset between requests", "id": "1981540", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981540"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-459", "details": ["A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.", "A flaw was found in Apache Tomcat. This flaw allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This means that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users can trigger non-blocking I/O errors (ex. by dropping a connection), creating the possibility of triggering a denial of service. Applications that do not use non-blocking I/O are not exposed to this vulnerability. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-30639", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2021-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-30639\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-30639"], "statement": "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "threat_severity": "Important", "upstream_fix": "tomcat 10.0.5, tomcat 9.0.45, tomcat 8.5.65"}