CVE-2021-42340

Summary

CVE	CVE-2021-42340
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-10-14 20:15:00 UTC
Updated	2023-11-07 03:39:00 UTC
Description	The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Risk And Classification

Problem Types: CWE-772

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	10.0.0	milestone10	All	All
Application	Apache	Tomcat	10.1.0	milestone1	All	All
Application	Apache	Tomcat	10.1.0	milestone2	All	All
Application	Apache	Tomcat	10.1.0	milestone3	All	All
Application	Apache	Tomcat	10.1.0	milestone4	All	All
Application	Apache	Tomcat	10.1.0	milestone5	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Application	Netapp	Hci	-	All	All	All
Application	Netapp	Management Services For Element Software	-	All	All	All
Application	Netapp	Management Services For Element Software And Netapp Hci	-	All	All	All
Application	Oracle	Agile Engineering Data Management	6.2.1.0	All	All	All
Application	Oracle	Big Data Spatial And Graph	All	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Hospitality Cruise Shipboard Property Management System	20.1.0	All	All	All
Application	Oracle	Managed File Transfer	12.2.1.3.0	All	All	All
Application	Oracle	Managed File Transfer	12.2.1.4.0	All	All	All
Application	Oracle	Middleware Common Libraries And Tools	12.2.1.4.0	All	All	All
Application	Oracle	Payment Interface	19.1	All	All	All
Application	Oracle	Payment Interface	20.3	All	All	All
Application	Oracle	Retail Customer Insights	15.0.2	All	All	All
Application	Oracle	Retail Customer Insights	16.0.2	All	All	All
Application	Oracle	Retail Data Extractor For Merchandising	15.0.2	All	All	All
Application	Oracle	Retail Data Extractor For Merchandising	16.0.2	All	All	All
Application	Oracle	Retail Eftlink	21.0.0	All	All	All
Application	Oracle	Retail Financial Integration	16.0.1	All	All	All
Application	Oracle	Retail Financial Integration	19.0.0	All	All	All
Application	Oracle	Retail Store Inventory Management	14.0.4.13	All	All	All
Application	Oracle	Retail Store Inventory Management	14.1.3.14	All	All	All
Application	Oracle	Retail Store Inventory Management	14.1.3.5	All	All	All
Application	Oracle	Retail Store Inventory Management	15.0.3.3	All	All	All
Application	Oracle	Retail Store Inventory Management	15.0.3.8	All	All	All
Application	Oracle	Retail Store Inventory Management	16.0.3.7	All	All	All
Application	Oracle	Sd-wan Edge	9.0	All	All	All
Application	Oracle	Sd-wan Edge	9.1	All	All	All
Application	Oracle	Taleo Platform	All	All	All	All

References

Reference	Source	Link	Tags
CVE-2021-42340 Apache Tomcat Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[myfaces-commits] 20211021 [myfaces-tobago] branch tobago-5.x updated: build: workaround for CVE-2021-42340		lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Apache Tomcat: Multiple Vulnerabilities (GLSA 202208-34) — Gentoo security	GENTOO	security.gentoo.org
Pony Mail!	MISC	lists.apache.org
Security Bulletin - ePolicy Orchestrator update addresses multiple product vulnerabilities (CVE-2022-0842, CVE-2022-0857, CVE-2022-0858, CVE-2022-0859, CVE-2022-0861, CVE-2022-0862) and updates Java, Apache HTTP Server, and Tomcat	CONFIRM	kc.mcafee.com
Debian -- Security Information -- DSA-5009-1 tomcat9	DEBIAN	www.debian.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

150451 Apache Tomcat Denial of Service Vulnerability (CVE-2021-42340)
178896 Debian Security Update for tomcat9 (DSA 5009-1)
184230 Debian Security Update for tomcat9 (CVE-2021-42340)
20255 Oracle Database 19c Critical Patch Update - April 2022
20257 Oracle Database 21c Critical Patch Update - April 2022
20285 Oracle Database 19c Critical OJVM Patch Update - April 2022
239916 Red Hat Update for red hat jboss web server 5.6.0 (RHSA-2021:4861)
296066 Oracle Solaris 11.4 Support Repository Update (SRU) 40.107.3 Missing (CPUOCT2021)
352860 Amazon Linux Security Advisory for tomcat8: ALAS-2021-1546
356263 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-006
356266 Amazon Linux Security Advisory for tomcat : ALASTOMCAT9-2023-006
710609 Gentoo Linux Apache Tomcat Multiple Vulnerabilities (GLSA 202208-34)
730242 Apache Tomcat Denial of Service (DoS) Vulnerability
730296 Atlassian Jira Server and Data Center Denial of Service (DoS) Vulnerability (JRASERVER-72914)
730327 Atlassian Jira Server Multiple Security Vulnerabilities (JRASERVER-73171, JRASERVER-73071, JRASERVER-73070)
730654 Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2021-42340)
730655 Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2021-42340)
730661 Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2021-42340)
730667 Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2021-42340)
980125 Java (maven) Security Update for org.apache.tomcat:tomcat (GHSA-wph7-x527-w3h5)