Critical Apache Tomcat DoS Vulnerability (CVE-2021-42340): Risks, Affected Versions, and Fixes

Report ID: B6-2021-101501

Source: 360CERT (2021‑10‑15)

1. Vulnerability Overview

On 2021‑10‑15, 360CERT detected that the Apache project released a denial‑of‑service (DoS) advisory for Apache Tomcat, identified as CVE-2021-42340. The vulnerability is rated High with a CVSS score of 7.8. Tomcat is a widely used servlet container, and a DoS attack can severely impact service availability.

2. Risk Rating

Assessment

Level

Threat Level

High

Impact Scope

Broad

Attacker Value

High

Exploitation Difficulty

Low

360CERT Score

7.8

3. Vulnerability Details

CVE‑2021‑42340: Apache Tomcat DoS Vulnerability

CVE: CVE‑2021‑42340

Component: Tomcat

Type: Denial of Service

Impact: Service availability loss

Description: A memory leak was introduced while fixing historical bug 63362. When a Tomcat WebSocket connection is closed, the object that collects HTTP upgrade connection metrics is not released, leading to a memory leak. An attacker can trigger an OutOfMemoryError to cause a DoS.

4. Affected Versions

Component

Affected Versions

Secure Version

Apache Tomcat

10.1.0‑M1 – 10.1.0‑M5

>= 10.1.0‑M6

Apache Tomcat

10.0.0‑M10 – 10.0.11

>= 10.0.12

Apache Tomcat

9.0.40 – 9.0.53

>= 9.0.54

Apache Tomcat

8.5.60 – 8.5.71

>= 8.5.72

5. Mitigation Recommendations

General Patch Advice

Identify the affected versions listed above and upgrade to the corresponding secure version.

6. Timeline

2021‑10‑14 – Apache releases advisory.

2021‑10‑15 – 360CERT publishes report.

7. References

https://www.mail.archive.com/[email protected]/msg06812.html