CVE-2021-30639

Summary

CVE	CVE-2021-30639
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-12 15:15:00 UTC
Updated	2023-11-07 03:33:00 UTC
Description	A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Risk And Classification

Problem Types: CWE-755

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tomcat	10.0.3	All	All	All
Application	Apache	Tomcat	10.0.4	All	All	All
Application	Apache	Tomcat	8.5.64	All	All	All
Application	Apache	Tomcat	9.0.44	All	All	All
Application	Mcafee	Epolicy Orchestrator	All	All	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	-	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_1	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_10	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_2	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_3	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_4	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_5	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_6	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_7	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_8	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_9	All	All
Application	Oracle	Big Data Spatial And Graph	All	All	All	All

References

Reference	Source	Link	Tags
July 2021 Apache Tomcat Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Pony Mail!	MLIST	lists.apache.org
Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2021-31834 and CVE-2021-31835) and updates Java, OpenSSL, and Tomcat	CONFIRM	kc.mcafee.com
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[tomcat-dev] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS		lists.apache.org
Apache Tomcat: Multiple Vulnerabilities (GLSA 202208-34) — Gentoo security	GENTOO	security.gentoo.org
Pony Mail!	MISC	lists.apache.org
[tomcat-users] 20210712 RE: [SECURITY] CVE-2021-30639 Apache Tomcat DoS		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

150444 Apache Tomcat Denial of Service Vulnerability (CVE-2021-30639)
690075 Free Berkeley Software Distribution (FreeBSD) Security Update for tomcat (cc7c85d9-f30a-11eb-b12b-fc4dd43e2b6a)
710609 Gentoo Linux Apache Tomcat Multiple Vulnerabilities (GLSA 202208-34)
730142 Apache Tomcat Denial Of Service Vulnerability (CVE-2021-30639)
980270 Java (maven) Security Update for org.apache.tomcat:tomcat (GHSA-44qp-qhfv-c7f6)