CVE-2021-42340: DoS via memory leak with WebSocket connections

Published Oct 14, 2021
·
Updated

A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from this vulnerability is to system availability.

Other sources

Apache Tomcat did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. This issue affects the version of Apache Tomcat 10.1.0-M1 to 10.1.0-M5; Apache Tomcat 10.0.0-M10 to 10.0.11; Apache Tomcat 9.0.40 to 9.0.53; Apache Tomcat 8.5.60 to 8.5.71.

Upstream commits: Tomcat 10.1: https://github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db7810371 Tomcat 10.0: https://github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90b4fb9 Tomcat 9.0: https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d259eb47 Tomcat 8.5: https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476aa6b6a

Reference: https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E

Red Hat

Apache Tomcat is vulnerable to a denial of service, caused by a memory leak flaw in WebSocket connections. By sending a specially-crafted request using OutOfMemoryError, a remote attacker could exploit this vulnerability to cause a denial of service condition.

IBM

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Affected Software

56 affected componentsFixes available
redhat/pki-servlet-engine<1:9.0.50-1.el9
1:9.0.50-1.el9
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el7
0:9.0.50-3.redhat_00004.1.el7
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el7
0:1.2.30-3.redhat_3.el7
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el7
0:1.1.8-4.Final_redhat_00004.1.el7
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el8
0:9.0.50-3.redhat_00004.1.el8
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el8
0:1.2.30-3.redhat_3.el8
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el8
0:1.1.8-4.Final_redhat_00004.1.el8
debian/tomcat9
9.0.31-1~deb10u69.0.31-1~deb10u109.0.43-2~deb11u69.0.43-2~deb11u99.0.70-2
maven/org.apache.tomcat:tomcat>=8.5.60<8.5.72
8.5.72
maven/org.apache.tomcat:tomcat>=9.0.40<9.0.54
9.0.54
maven/org.apache.tomcat:tomcat>=10.0.0-M1<10.0.12
10.0.12
maven/org.apache.tomcat:tomcat>=10.1.0-M1<=10.1.0-M5
10.1.0-M6
IBM QRadar SIEM<=7.5.0 GA
IBM QRadar SIEM<=7.4.3 GA - 7.4.3 FP4
IBM QRadar SIEM<=7.3.3 GA - 7.3.3 FP10
Apache Tomcat>=8.5.60<8.5.72
Apache Tomcat>=9.0.40<9.0.54
Apache Tomcat>=10.0.1<10.0.12
Apache Tomcat=10.0.0-milestone10
Apache Tomcat=10.1.0-milestone1
Apache Tomcat=10.1.0-milestone2
Apache Tomcat=10.1.0-milestone3
Apache Tomcat=10.1.0-milestone4
Apache Tomcat=10.1.0-milestone5
NetApp Hci
NetApp Management Services For Element Software
Debian Debian Linux=11.0
Oracle Agile Engineering Data Management=6.2.1.0
Oracle Big Data Spatial And Graph<23.1
Oracle Communications Diameter Signaling Router>=8.0.0.0<=8.5.0.2
Oracle Hospitality Cruise Shipboard Property Management System=20.1.0
Oracle Managed File Transfer=12.2.1.3.0
Oracle Managed File Transfer=12.2.1.4.0
Oracle Middleware Common Libraries And Tools=12.2.1.4.0
Oracle Payment Interface=19.1
Oracle Payment Interface=20.3
Oracle Retail Customer Insights=15.0.2
Oracle Retail Customer Insights=16.0.2
Oracle Retail Data Extractor For Merchandising=15.0.2
Oracle Retail Data Extractor For Merchandising=16.0.2
Oracle Retail Eftlink=21.0.0
Oracle Retail Financial Integration=16.0.1
Oracle Retail Financial Integration=19.0.0
Oracle Retail Store Inventory Management=14.0.4.13
Oracle Retail Store Inventory Management=14.1.3.5
Oracle Retail Store Inventory Management=14.1.3.14
Oracle Retail Store Inventory Management=15.0.3.3
Oracle Retail Store Inventory Management=15.0.3.8
Oracle Retail Store Inventory Management=16.0.3.7
Oracle SD-WAN Edge=9.0
Oracle SD-WAN Edge=9.1
Oracle Taleo Platform
redhat/tomcat<10.1.0
10.1.0
redhat/tomcat<10.0.12
10.0.12
redhat/tomcat<9.0.54
9.0.54
redhat/tomcat<8.5.72
8.5.72

Remediation

Patch Available

https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784@%3Ccommits.myfaces.apache.org%3E

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Event History

Oct 14, 2021
CVE Published
12:00 AM
CVE Published
via MITRE·07:55 PM
Data Sourced
via MITRE·07:55 PM
DescriptionWeakness
Oct 15, 2021
Data Sourced
via Red Hat·02:13 AM
DescriptionSeverityAffected Software
Advisory Published
via GitHub·06:51 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-42340?

CVE-2021-42340 is a vulnerability in Apache Tomcat that allows for a denial of service attack caused by a memory leak flaw in WebSocket connections.

2

What is the severity of CVE-2021-42340?

CVE-2021-42340 has a severity level of high.

3

Which versions of Apache Tomcat are affected by CVE-2021-42340?

Apache Tomcat versions 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53, and 8.5.60 to 8.5.71 are affected by CVE-2021-42340.

4

What is the fix for CVE-2021-42340?

The fix for CVE-2021-42340 is available in Apache Tomcat 10.1.0-M6, 10.0.12, 9.0.54, and 8.5.72.

5

How can I mitigate the vulnerability?

To mitigate the vulnerability, it is recommended to update Apache Tomcat to versions 10.1.0-M6, 10.0.12, 9.0.54, or 8.5.72.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203