Vulnerability Details CVE-2021-42340
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10379
- https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/202208-34
- https://security.netapp.com/advisory/ntap-20211104-0001/
- https://www.debian.org/security/2021/dsa-5009
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10379
- https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/202208-34
- https://security.netapp.com/advisory/ntap-20211104-0001/
- https://www.debian.org/security/2021/dsa-5009
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Products affected by CVE-2021-42340
-
cpe:2.3:a:apache:tomcat:10.0.0
-
cpe:2.3:a:apache:tomcat:10.0.1
-
cpe:2.3:a:apache:tomcat:10.0.10
-
cpe:2.3:a:apache:tomcat:10.0.11
-
cpe:2.3:a:apache:tomcat:10.0.2
-
cpe:2.3:a:apache:tomcat:10.0.3
-
cpe:2.3:a:apache:tomcat:10.0.4
-
cpe:2.3:a:apache:tomcat:10.0.5
-
cpe:2.3:a:apache:tomcat:10.0.6
-
cpe:2.3:a:apache:tomcat:10.0.7
-
cpe:2.3:a:apache:tomcat:10.0.8
-
cpe:2.3:a:apache:tomcat:10.0.9
-
cpe:2.3:a:apache:tomcat:10.1.0
-
cpe:2.3:a:apache:tomcat:8.5.60
-
cpe:2.3:a:apache:tomcat:8.5.61
-
cpe:2.3:a:apache:tomcat:8.5.62
-
cpe:2.3:a:apache:tomcat:8.5.63
-
cpe:2.3:a:apache:tomcat:8.5.64
-
cpe:2.3:a:apache:tomcat:8.5.65
-
cpe:2.3:a:apache:tomcat:8.5.66
-
cpe:2.3:a:apache:tomcat:8.5.67
-
cpe:2.3:a:apache:tomcat:8.5.68
-
cpe:2.3:a:apache:tomcat:8.5.69
-
cpe:2.3:a:apache:tomcat:8.5.70
-
cpe:2.3:a:apache:tomcat:8.5.71
-
cpe:2.3:a:apache:tomcat:9.0.40
-
cpe:2.3:a:apache:tomcat:9.0.41
-
cpe:2.3:a:apache:tomcat:9.0.42
-
cpe:2.3:a:apache:tomcat:9.0.43
-
cpe:2.3:a:apache:tomcat:9.0.44
-
cpe:2.3:a:apache:tomcat:9.0.45
-
cpe:2.3:a:apache:tomcat:9.0.46
-
cpe:2.3:a:apache:tomcat:9.0.47
-
cpe:2.3:a:apache:tomcat:9.0.48
-
cpe:2.3:a:apache:tomcat:9.0.49
-
cpe:2.3:a:apache:tomcat:9.0.50
-
cpe:2.3:a:apache:tomcat:9.0.51
-
cpe:2.3:a:apache:tomcat:9.0.52
-
cpe:2.3:a:apache:tomcat:9.0.53
-
cpe:2.3:a:netapp:hci:-
-
cpe:2.3:a:netapp:management_services_for_element_software:-
-
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0
-
cpe:2.3:a:oracle:big_data_spatial_and_graph:-
-
cpe:2.3:a:oracle:big_data_spatial_and_graph:2.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.5
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.5.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.5.0.2
-
cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0
-
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0
-
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0
-
cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0
-
cpe:2.3:a:oracle:payment_interface:19.1
-
cpe:2.3:a:oracle:payment_interface:20.3
-
cpe:2.3:a:oracle:retail_customer_insights:15.0.2
-
cpe:2.3:a:oracle:retail_customer_insights:16.0.2
-
cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:15.0.2
-
cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:16.0.2
-
cpe:2.3:a:oracle:retail_eftlink:21.0.0
-
cpe:2.3:a:oracle:retail_financial_integration:16.0.1
-
cpe:2.3:a:oracle:retail_financial_integration:19.0.0
-
cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4.13
-
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.14
-
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.5
-
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.3
-
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.8
-
cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.7
-
cpe:2.3:a:oracle:sd-wan_edge:9.0
-
cpe:2.3:a:oracle:sd-wan_edge:9.1
-
cpe:2.3:a:oracle:taleo_platform:-
-
cpe:2.3:a:oracle:taleo_platform:22.1
-
cpe:2.3:o:debian:debian_linux:11.0