CVE-2021-42340

Опубликовано: 14 окт. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Ссылки

https://kc.mcafee.com/corporate/index?page=content&id=SB10379
Third Party Advisory
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
Mailing List
Vendor Advisory
https://security.gentoo.org/glsa/202208-34
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0001/
Third Party Advisory
https://www.debian.org/security/2021/dsa-5009
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10379
Third Party Advisory
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
Mailing List
Vendor Advisory
https://security.gentoo.org/glsa/202208-34
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0001/
Third Party Advisory
https://www.debian.org/security/2021/dsa-5009
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Версия от 8.5.60 (включая) до 8.5.72 (исключая)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Версия от 9.0.40 (включая) до 9.0.54 (исключая)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Версия от 10.0.1 (включая) до 10.0.12 (исключая)

cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*

Версия до 23.1 (исключая)

cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*

Версия от 8.0.0.0 (включая) до 8.5.0.2 (включая)

cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:payment_interface:19.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:payment_interface:20.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:15.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:15.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_data_extractor_for_merchandising:16.0.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_eftlink:21.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_financial_integration:16.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_financial_integration:19.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4.13:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.14:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:taleo_platform:*:*:*:*:*:*:*:*

EPSS

Процентиль: 87%

0.03464

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-772

Связанные уязвимости

CVE-2021-42340

CVSS3: 7.5

ubuntu

больше 3 лет назад

CVE-2021-42340

CVSS3: 7.5

redhat

больше 3 лет назад

CVE-2021-42340

CVSS3: 7.5

debian

больше 3 лет назад

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, ...

GHSA-wph7-x527-w3h5

CVSS3: 7.5

github

больше 3 лет назад

Missing Release of Resource after Effective Lifetime in Apache Tomcat

BDU:2021-06115

CVSS3: 7.5

fstec

больше 3 лет назад

Уязвимость сервера приложений Apache Tomcat, связанная с утечкой памяти, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 87%

0.03464

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-772