{
  "threat_severity" : "Important",
  "public_date" : "2021-09-15T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine",
    "id" : "2004820",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2004820"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.", "A flaw was found in Apache Tomcat. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can trigger an infinite loop, resulting in a denial of service. The highest threat from this vulnerability is to system availability." ],
  "statement" : "In Red Hat Certificate System versions 9 and older, the version of Tomcat used is not affected by this flaw.\nIn Red Hat Certificate System 10, Tomcat is affected by this flaw. However, Tomcat is configured so that it does not use OpenSSLEngine, but the Dogtag JSS SSL implementation. As a result, the flaw can not be reached.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.11",
    "release_date" : "2022-07-07T00:00:00Z",
    "advisory" : "RHSA-2022:5532",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "tomcat",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "release_date" : "2021-10-06T00:00:00Z",
    "advisory" : "RHSA-2021:3743",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7",
    "release_date" : "2021-10-06T00:00:00Z",
    "advisory" : "RHSA-2021:3741",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7",
    "package" : "jws5-tomcat-0:9.0.43-13.redhat_00013.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8",
    "release_date" : "2021-10-06T00:00:00Z",
    "advisory" : "RHSA-2021:3741",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8",
    "package" : "jws5-tomcat-0:9.0.43-13.redhat_00013.1.el8jws"
  }, {
    "product_name" : "Red Hat Support for Spring Boot 2.5.10",
    "release_date" : "2022-04-12T00:00:00Z",
    "advisory" : "RHSA-2022:1179",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "tomcat"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-41079\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41079\nhttps://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E\nhttps://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.4\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.64\nhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44" ],
  "name" : "CVE-2021-41079",
  "csaw" : false
}