Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Published

2021-10-14T20:15:09.060

Last Modified

2024-11-21T06:27:38.363

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-772
Type: Primary
CWE-772

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	< 8.5.72	Yes
Application	apache	tomcat	< 9.0.54	Yes
Application	apache	tomcat	< 10.0.12	Yes
Application	apache	tomcat	10.0.0	Yes
Application	apache	tomcat	10.1.0	Yes
Application	apache	tomcat	10.1.0	Yes
Application	apache	tomcat	10.1.0	Yes
Application	apache	tomcat	10.1.0	Yes
Application	apache	tomcat	10.1.0	Yes
Application	netapp	hci	-	Yes
Application	netapp	management_services_for_element_software	-	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	oracle	agile_engineering_data_management	6.2.1.0	Yes
Application	oracle	big_data_spatial_and_graph	< 23.1	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.5.0.2	Yes
Application	oracle	hospitality_cruise_shipboard_property_management_system	20.1.0	Yes
Application	oracle	managed_file_transfer	12.2.1.3.0	Yes
Application	oracle	managed_file_transfer	12.2.1.4.0	Yes
Application	oracle	middleware_common_libraries_and_tools	12.2.1.4.0	Yes
Application	oracle	payment_interface	19.1	Yes
Application	oracle	payment_interface	20.3	Yes
Application	oracle	retail_customer_insights	15.0.2	Yes
Application	oracle	retail_customer_insights	16.0.2	Yes
Application	oracle	retail_data_extractor_for_merchandising	15.0.2	Yes
Application	oracle	retail_data_extractor_for_merchandising	16.0.2	Yes
Application	oracle	retail_eftlink	21.0.0	Yes
Application	oracle	retail_financial_integration	16.0.1	Yes
Application	oracle	retail_financial_integration	19.0.0	Yes
Application	oracle	retail_store_inventory_management	14.0.4.13	Yes
Application	oracle	retail_store_inventory_management	14.1.3.5	Yes
Application	oracle	retail_store_inventory_management	14.1.3.14	Yes
Application	oracle	retail_store_inventory_management	15.0.3.3	Yes
Application	oracle	retail_store_inventory_management	15.0.3.8	Yes
Application	oracle	retail_store_inventory_management	16.0.3.7	Yes
Application	oracle	sd-wan_edge	9.0	Yes
Application	oracle	sd-wan_edge	9.1	Yes
Application	oracle	taleo_platform	*	Yes

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10379 Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202208-34 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20211104-0001/ Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-5009 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10379 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-34 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211104-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-5009 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)