{"containers": {"cna": {"affected": [{"product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Tomcat 10 10.0.0-M10 to 10.0.11"}, {"status": "affected", "version": "Apache Tomcat 10 10.1.0-M1 to 10.1.0-M5"}, {"status": "affected", "version": "Apache Tomcat 9 9.0.40 to 9.0.53"}, {"status": "affected", "version": "Apache Tomcat 8 8.5.60 to 8.5.71"}]}], "descriptions": [{"lang": "en", "value": "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-772", "description": "CWE-772 Missing Release of Resource after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-21T04:07:37", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "[myfaces-commits] 20211021 [myfaces-tobago] branch tobago-5.x updated: build: workaround for CVE-2021-42340", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E"}, {"name": "DSA-5009", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-5009"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20211104-0001/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10379"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "GLSA-202208-34", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-34"}], "source": {"discovery": "UNKNOWN"}, "title": "DoS via memory leak with WebSocket connections", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-42340", "STATE": "PUBLIC", "TITLE": "DoS via memory leak with WebSocket connections"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Tomcat", "version": {"version_data": [{"version_affected": "=", "version_name": "Apache Tomcat 10", "version_value": "10.0.0-M10 to 10.0.11"}, {"version_affected": "=", "version_name": "Apache Tomcat 10", "version_value": "10.1.0-M1 to 10.1.0-M5"}, {"version_affected": "=", "version_name": "Apache Tomcat 9", "version_value": "9.0.40 to 9.0.53"}, {"version_affected": "=", "version_name": "Apache Tomcat 8", "version_value": "8.5.60 to 8.5.71"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-772 Missing Release of Resource after Effective Lifetime"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "[myfaces-commits] 20211021 [myfaces-tobago] branch tobago-5.x updated: build: workaround for CVE-2021-42340", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784@%3Ccommits.myfaces.apache.org%3E"}, {"name": "DSA-5009", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5009"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://security.netapp.com/advisory/ntap-20211104-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20211104-0001/"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10379", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10379"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "GLSA-202208-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-34"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:30:38.354Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "[myfaces-commits] 20211021 [myfaces-tobago] branch tobago-5.x updated: build: workaround for CVE-2021-42340", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E"}, {"name": "DSA-5009", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-5009"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20211104-0001/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10379"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "GLSA-202208-34", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-34"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-42340", "datePublished": "2021-10-14T19:55:14", "dateReserved": "2021-10-13T00:00:00", "dateUpdated": "2024-08-04T03:30:38.354Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "890E6FBC-FCC5-44B0-8CE8-AD7E8F0A1BFA", "versionEndExcluding": "8.5.72", "versionStartIncluding": "8.5.60", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "654BD045-868C-4DC0-B36C-824C0F4C41CD", "versionEndExcluding": "9.0.54", "versionStartIncluding": "9.0.40", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C639222-18E7-4BDC-A53A-684F63C42991", "versionEndExcluding": "10.0.12", "versionStartIncluding": "10.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "83B9FF07-1B93-4F8C-AC56-7CA74E61B724", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A6E548F-62E9-40CB-85DA-FDAA0F0096C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*", "matchCriteriaId": "86B51137-28D9-41F2-AFA2-3CC22B4954D1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*", "matchCriteriaId": "384DEDD9-CB26-4306-99D8-83068A9B23ED", "versionEndExcluding": "23.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "matchCriteriaId": "590ADE5F-0D0F-4576-8BA6-828758823442", "versionEndIncluding": "8.5.0.2", "versionStartIncluding": "8.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "05F5B430-8BA1-4865-93B5-0DE89F424B53", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "9AB179A8-DFB7-4DCF-8DE3-096F376989F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:payment_interface:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "5D01A0EC-3846-4A74-A174-3797078DC699", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:payment_interface:20.3:*:*:*:*:*:*:*", "matchCriteriaId": "03E5FCFB-093A-48E9-8A4E-34C993D2764E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "3D1C35DF-D30D-42C8-B56D-C809609AB2A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "834B4CE7-042E-489F-AE19-0EEA2C37E7A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:15.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "82653579-FF7D-4492-9CA2-B3DF6A708831", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:16.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "32D2EB48-F9A2-4D23-81C5-4B30F2D785DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_eftlink:21.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4B95628-F108-424A-8C19-40A5F5B7D37B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "EE6D2296-FF70-462A-963D-C93429499E4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_financial_integration:19.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B7B0B33-2361-4CF5-8075-F609858A582E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4.13:*:*:*:*:*:*:*", "matchCriteriaId": "88458537-6DE8-4D79-BC71-9D08883AD0C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "2E310654-0793-41CC-B049-C754AC31D016", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.14:*:*:*:*:*:*:*", "matchCriteriaId": "4C5B22C6-97AF-4D1B-84C9-987C6F62C401", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "FFD9AAE5-9472-49C6-B054-DB76BEB86D35", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.8:*:*:*:*:*:*:*", "matchCriteriaId": "A104FDBD-0B28-44EE-91A0-A0C8939865A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "C2D60A4D-BB4F-4177-AFA8-A8DC8C111FB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "77E39D5C-5EFA-4FEB-909E-0A92004F2563", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*", "matchCriteriaId": "06816711-7C49-47B9-A9D7-FB18CC3F42F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:taleo_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "10009CC2-04DD-4CD3-B256-2D5EFD9A1D1D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError."}, {"lang": "es", "value": "La correcci\u00f3n del bug 63362 presente en Apache Tomcat versiones 10.1.0-M1 hasta 10.1.0-M5, versiones 10.0.0-M1 hasta 10.0.11, versiones 9.0.40 hasta 9.0.53 y versiones 8.5.60 hasta 8.5.71, introduc\u00eda una p\u00e9rdida de memoria. El objeto introducido para recopilar m\u00e9tricas para las conexiones de actualizaci\u00f3n HTTP no se liberaba para las conexiones WebSocket una vez que se cerraba la conexi\u00f3n. Esto creaba una p\u00e9rdida de memoria que, con el tiempo, pod\u00eda conllevar a una denegaci\u00f3n de servicio por medio de un OutOfMemoryError"}], "id": "CVE-2021-42340", "lastModified": "2023-11-07T03:39:09.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-14T20:15:09.060", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10379"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-34"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211104-0001/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5009"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-772"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-772"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHBA-2022:8077", "cpe": "cpe:/a:redhat:enterprise_linux:9", "impact": "low", "package": "pki-servlet-engine-1:9.0.50-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}, {"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "low", "package": "tomcat", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2021:4863", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package": "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package": "jws5-tomcat-native-0:1.2.30-3.redhat_3.el7jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package": "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package": "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package": "jws5-tomcat-native-0:1.2.30-3.redhat_3.el8jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package": "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2022:1179", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "tomcat", "product_name": "Red Hat Support for Spring Boot 2.5.10", "release_date": "2022-04-12T00:00:00Z"}], "bugzilla": {"description": "tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS", "id": "2014356", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2014356"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-772", "details": ["The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.", "A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-42340", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "impact": "low", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "impact": "low", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-10-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-42340\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-42340\nhttp://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.12\nhttp://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.0-M6\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.72\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54\nhttps://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E"], "statement": "Within Red Hat OpenStack Platform, Tomcat is provided as a component of OpenDaylight. This flaw will not receive a fix as OpenDaylight was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", "threat_severity": "Important", "upstream_fix": "tomcat 10.1.0-M6, tomcat 10.0.12, tomcat 9.0.54, tomcat 8.5.72"}