High severityNVD Advisory· Published Oct 14, 2021· Updated Aug 4, 2024
DoS via memory leak with WebSocket connections
CVE-2021-42340
Description
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.0-M6 | 10.1.0-M6 |
org.apache.tomcat:tomcatMaven | >= 10.0.0-M1, < 10.0.12 | 10.0.12 |
org.apache.tomcat:tomcatMaven | >= 9.0.40, < 9.0.54 | 9.0.54 |
org.apache.tomcat:tomcatMaven | >= 8.5.60, < 8.5.72 | 8.5.72 |
Affected products
3- osv-coords2 versions
>= 8.5.60, < 8.5.72+ 1 more
- (no CPE)range: >= 8.5.60, < 8.5.72
- (no CPE)range: >= 10.1.0-M1, < 10.1.0-M6
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 10 10.0.0-M10 to 10.0.11
Patches
Vulnerability mechanics
References
20- github.com/advisories/GHSA-wph7-x527-w3h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-42340ghsaADVISORY
- security.gentoo.org/glsa/202208-34ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-5009ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90b4fb9ghsaWEB
- github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d259eb47ghsaWEB
- github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476aa6b6aghsaWEB
- github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db7810371ghsaWEB
- kc.mcafee.com/corporate/indexghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784@%3Ccommits.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20211104-0001ghsaWEB
- security.netapp.com/advisory/ntap-20211104-0001/mitrex_refsource_CONFIRM
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.