QID 980270

QID 980270: Java (maven) Security Update for org.apache.tomcat:tomcat (GHSA-44qp-qhfv-c7f6)

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Successful exploitation of this vulnerability may affect the confidentiality, integrity, and availability of the targeted user.

CVSS V3 rated as High - 7.5 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

Customers are advised to refer to GHSA-44qp-qhfv-c7f6 for updates pertaining to this vulnerability.

Vendor References

GHSA-44qp-qhfv-c7f6 - github.com/advisories/GHSA-44qp-qhfv-c7f6

CVEs related to QID 980270

CVE-2021-30639 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-44qp-qhfv-c7f6	org.apache.tomcat:tomcat		github.com/advisories/GHSA-44qp-qhfv-c7f6

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].