{
  "threat_severity" : "Important",
  "public_date" : "2021-10-14T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS",
    "id" : "2014356",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2014356"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-772",
  "details" : [ "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.", "A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from this vulnerability is to system availability." ],
  "statement" : "Within Red Hat OpenStack Platform, Tomcat is provided as a component of OpenDaylight. This flaw will not receive a fix as OpenDaylight was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHBA-2022:8077",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "pki-servlet-engine-1:9.0.50-1.el9",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Fuse 7.11",
    "release_date" : "2022-07-07T00:00:00Z",
    "advisory" : "RHSA-2022:5532",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "tomcat",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4863",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6",
    "package" : "tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 7",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4861",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7",
    "package" : "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 7",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4861",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7",
    "package" : "jws5-tomcat-native-0:1.2.30-3.redhat_3.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 7",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4861",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7",
    "package" : "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 8",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4861",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8",
    "package" : "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 8",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4861",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8",
    "package" : "jws5-tomcat-native-0:1.2.30-3.redhat_3.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 8",
    "release_date" : "2021-11-30T00:00:00Z",
    "advisory" : "RHSA-2021:4861",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8",
    "package" : "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el8jws"
  }, {
    "product_name" : "Red Hat Support for Spring Boot 2.5.10",
    "release_date" : "2022-04-12T00:00:00Z",
    "advisory" : "RHSA-2022:1179",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "tomcat"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Out of support scope",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-42340\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-42340\nhttp://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.12\nhttp://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.0-M6\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.72\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54\nhttps://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E" ],
  "name" : "CVE-2021-42340",
  "csaw" : false
}