CVE-2021-43980
Summary
| CVE | CVE-2021-43980 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-28 14:15:00 UTC |
| Updated | 2022-11-10 04:00:00 UTC |
| Description | The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
Risk And Classification
Problem Types: CWE-362
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - CVE-2021-43980: Apache Tomcat: Information disclosure | MLIST | www.openwall.com | |
| Debian -- Security Information -- DSA-5265-1 tomcat9 | DEBIAN | www.debian.org | |
| [SECURITY] [DLA 3160-1] tomcat9 security update | MLIST | lists.debian.org | |
| lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3 | MISC | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for discovering the issue and working with the Tomcat security team to identify the root cause and appropriate fix.
Legacy QID Mappings
- 150579 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)
- 181163 Debian Security Update for tomcat9 (DLA 3160-1)
- 181177 Debian Security Update for tomcat9 (DSA 5265-1)
- 183888 Debian Security Update for tomcat9 (CVE-2021-43980)
- 354897 Amazon Linux Security Advisory for tomcat8 : ALAS-2023-1732
- 355155 Amazon Linux Security Advisory for tomcat9 : ALAS2023-2023-176
- 356166 Amazon Linux Security Advisory for tomcat : ALASTOMCAT9-2023-005
- 356243 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-013
- 730647 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)
- 730650 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)
- 730659 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)
- 730665 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-43980)
- 752808 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2022:4009-1)
- 752834 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2022:4221-1)
- 752849 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2022:4257-1)