CVE-2021-42340

high-risk

Published 2021-10-14

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Do I need to act?

5.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Tomcat

Hci

Management Services For Element Software

Debian Linux

Agile Engineering Data Management

Big Data Spatial And Graph

Communications Diameter Signaling Router

Hospitality Cruise Shipboard Property Management System

Managed File Transfer

Middleware Common Libraries And Tools

Payment Interface

Retail Customer Insights

Affected Vendors

Debian Apache Oracle Netapp

References (18)

Third Party Advisory https://kc.mcafee.com/corporate/index?page=content&id=SB10379

https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d...

Mailing List https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced...

Third Party Advisory https://security.gentoo.org/glsa/202208-34

Third Party Advisory https://security.netapp.com/advisory/ntap-20211104-0001/

Third Party Advisory https://www.debian.org/security/2021/dsa-5009

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html