var-202110-1693
Vulnerability from variot
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Apache Tomcat is a lightweight web application server of the Apache Foundation. The program implements support for Servlet and JavaServer Page (JSP).
Apache Tomcat has a security vulnerability. The vulnerability is caused by incorrectly verifying the data boundary when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can use this vulnerability to cause buffer overflow or heap overflow, etc. Description:
Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Web Server 5.6.0 Security release Advisory ID: RHSA-2021:4861-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2021:4861 Issue date: 2021-11-30 CVE Names: CVE-2021-30640 CVE-2021-33037 CVE-2021-42340 ==================================================================== 1. Summary:
Updated Red Hat JBoss Web Server 5.6.0 packages are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss Web Server 5.6 for RHEL 7 Server - noarch, x86_64 Red Hat JBoss Web Server 5.6 for RHEL 8 - noarch, x86_64
- Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications.
This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Security Fix(es):
- tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)
- tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)
- tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
- Package List:
Red Hat JBoss Web Server 5.6 for RHEL 7 Server:
Source: jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.src.rpm jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.src.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.src.rpm
noarch: jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-java-jdk11-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-java-jdk8-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
x86_64: jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el7jws.x86_64.rpm
Red Hat JBoss Web Server 5.6 for RHEL 8:
Source: jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.src.rpm jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.src.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.src.rpm
noarch: jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
x86_64: jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el8jws.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYaaMntzjgjWX9erEAQibyg/9E3I1wMpKriqTZKlf1tGcPt4wShPVNKMh B4PC8t1vBZJZ2VBMrQJdmYBUKRn3mccCqUxd0ey/UfsacIoKvAACr18iXCxYc4cO MeNqy7SWRO+Kwze2fYpBu7w5dR34yhUQAN8DAOui7DduZsS209X7WhShrLSjzF5j g+nhRCi4l5QRwcy7NF4TAhmAN7f819BwDHQJI/ttaOHqEwsDnOlPNKbV0X4Hlkf5 5VRD/8ArImD7tqpSs/9YVh34MJLCVmVkWgHBDY0I06LcRSQJoRBZDEkoPRHQxU26 hKH5oDaVezm92RFFqfwo2HHY6eGJc/qTTcd/WeW4RDfx49+ARsOt2kvO2XcEo45A iUue2MayqnfdQHRI7MMNaaWoNudI2MVBcbQYhkTZcgApZEmtCe4taeo0YUvFqUeJ N1Awh8QIN5vqA7wKdtrHiQCMx/6/fqi3VtKN3LZEuUiRMM/sueqc1yob6piuU4Vk nyHP0ULSyMYnrzoqKN1BwbobRYyXKbVR376qMtxhLMe71PXg26TgDC9seUnooNum XgcRIdc7Q2WyGaFLxGE5fS0/7FagX/etRlg9DIHi27NVl0WXgmFVLC2ZumjfSoms FgQUTPwa2Bt90Oat2u7vnB5MBvCR0+OAAsM8TK/cn/31F697MMTI6Qloiq2DDOt4 2c2PkIZ6XrY=6RkQ -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update.
For the stable distribution (bullseye), this problem has been fixed in version 9.0.43-2~deb11u3.
We recommend that you upgrade your tomcat9 packages.
For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGOe15fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRMcA/7BuGjRiyZnyDtGXxmq2Uew/62TR+u8WaZx6WC6mBNJgYvB1CHEap6+2EY YlFDiddqSC14tPAf+8gOWLVI1CzaWYtGYe8NjRpr6MjnUMfWonHnQn1SqDL8pORb yXLReYESx/YlvUs8+ZRsSoD5H0kFFA+6wYbeZ8gUcuyaV9hzRYDp3ATMAQCLL3RT obSBRpDv+0izjrCZqrcaLX0nBLK7YX/cEpGpT0xCqL6qkuDOVvLxtoc2HBCvYXsd i+9CL6sHzegCqzSypO+GTyOl815IF7BpqOTWm6JmqKDigQu6s432oT2o3Myex5+w CILS2jQaOLlf3nf9tGhbVDv6UougC27fXlkhopmBpINyKelX08Zazltsu86Wy2Zi O7eDLVQxeeSU7cgFBUoVwXouAG8vgfVw1cczYFE3O7Lj183pC3XS/HI+u3vGtooj LStn5jKDPI/vjAzaYk7sLH/OjDzmYXWX9/xQ0UpINK7I93CazE4toOjP0MlRMbZY MNm+KgKLD7ge1fzuZEyxmDempH5nsOcCz1I/xJ9O/gdpJOGAHg6Nu5FT+ceU6OeH lmY2BdUf46KYQO12wjs1VuapDwubiURGndA2F95aohxVV6QjsawKwJ9FLUKA+z6P TaTWS8DO8z9DAzA7IIAxuS9P0v4Hnr0L9ikldO1WMYQgOu5bLCI= =wISU -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-34
https://security.gentoo.org/
Severity: Low Title: Apache Tomcat: Multiple Vulnerabilities Date: August 21, 2022 Bugs: #773571, #801916, #818160, #855971 ID: 202208-34
Synopsis
Multiple vulnerabilities have been discovered in Apache Tomcat, the worst of which could result in denial of service.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/tomcat < 8.5.82:8.5 >= 8.5.82:8.5 < 9.0.65:9 >= 9.0.65:9 < 10.0.23:10 >= 10.0.23:10
Description
Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Apache Tomcat 10.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-10.0.23:10"
All Apache Tomcat 9.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-9.0.65:9"
All Apache Tomcat 8.5.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.82:8.5"
References
[ 1 ] CVE-2021-25122 https://nvd.nist.gov/vuln/detail/CVE-2021-25122 [ 2 ] CVE-2021-25329 https://nvd.nist.gov/vuln/detail/CVE-2021-25329 [ 3 ] CVE-2021-30639 https://nvd.nist.gov/vuln/detail/CVE-2021-30639 [ 4 ] CVE-2021-30640 https://nvd.nist.gov/vuln/detail/CVE-2021-30640 [ 5 ] CVE-2021-33037 https://nvd.nist.gov/vuln/detail/CVE-2021-33037 [ 6 ] CVE-2021-42340 https://nvd.nist.gov/vuln/detail/CVE-2021-42340 [ 7 ] CVE-2022-34305 https://nvd.nist.gov/vuln/detail/CVE-2022-34305
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-34
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/
4
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202110-1693", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "retail financial integration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.0.0" }, { "model": "retail store inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.1.3.14" }, { "model": "retail store inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "15.0.3.3" }, { "model": "retail customer insights", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "15.0.2" }, { "model": "management services for element software", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "retail customer insights", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "16.0.2" }, { "model": "retail data extractor for merchandising", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "15.0.2" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "9.0.40" }, { "model": "managed file transfer", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.3.0" }, { "model": "middleware common libraries and tools", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.4.0" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "11.0" }, { "model": "retail data extractor for merchandising", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "16.0.2" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "10.1.0" }, { "model": "retail store inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.0.4.13" }, { "model": "retail store inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.1.3.5" }, { "model": "taleo platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "*" }, { "model": "retail eftlink", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "21.0.0" }, { "model": "tomcat", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "8.5.72" }, { "model": "communications diameter signaling router", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.0.0.0" }, { "model": "sd-wan edge", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "9.1" }, { "model": "hci", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "payment interface", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.1" }, { "model": "payment interface", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "20.3" }, { "model": "retail financial integration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "16.0.1" }, { "model": "retail store inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "15.0.3.8" }, { "model": "retail store inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "16.0.3.7" }, { "model": "agile engineering data management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "6.2.1.0" }, { "model": "hospitality cruise shipboard property management system", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "20.1.0" }, { "model": "communications diameter signaling router", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.5.0.2" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "10.0.0" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "8.5.60" }, { "model": "tomcat", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "10.0.12" }, { "model": "tomcat", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "9.0.54" }, { "model": "sd-wan edge", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "9.0" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "10.0.1" }, { "model": "managed file transfer", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.4.0" }, { "model": "big data spatial and graph", "scope": "lt", "trust": 1.0, "vendor": "oracle", "version": "23.1" }, { "model": "tomcat", "scope": null, "trust": 0.6, "vendor": "apache", "version": null } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "NVD", "id": "CVE-2021-42340" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "166707" }, { "db": "PACKETSTORM", "id": "165117" }, { "db": "PACKETSTORM", "id": "165112" }, { "db": "PACKETSTORM", "id": "167841" } ], "trust": 0.4 }, "cve": "CVE-2021-42340", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CVE-2021-42340", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 1.1, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CNVD-2021-83785", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "VHN-397706", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "id": "CVE-2021-42340", "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-42340", "trust": 1.0, "value": "HIGH" }, { "author": "CNVD", "id": "CNVD-2021-83785", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202110-1057", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-397706", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-42340", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULHUB", "id": "VHN-397706" }, { "db": "VULMON", "id": "CVE-2021-42340" }, { "db": "CNNVD", "id": "CNNVD-202110-1057" }, { "db": "NVD", "id": "CVE-2021-42340" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Apache Tomcat is a lightweight web application server of the Apache Foundation. The program implements support for Servlet and JavaServer Page (JSP). \n\r\n\r\nApache Tomcat has a security vulnerability. The vulnerability is caused by incorrectly verifying the data boundary when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can use this vulnerability to cause buffer overflow or heap overflow, etc. Description:\n\nRed Hat support for Spring Boot provides an application platform that\nreduces the complexity of developing and operating applications (monoliths\nand microservices) for OpenShift as a containerized platform. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Web Server 5.6.0 Security release\nAdvisory ID: RHSA-2021:4861-01\nProduct: Red Hat JBoss Web Server\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:4861\nIssue date: 2021-11-30\nCVE Names: CVE-2021-30640 CVE-2021-33037 CVE-2021-42340\n====================================================================\n1. Summary:\n\nUpdated Red Hat JBoss Web Server 5.6.0 packages are now available for Red\nHat Enterprise Linux 7 and Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this release as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss Web Server 5.6 for RHEL 7 Server - noarch, x86_64\nRed Hat JBoss Web Server 5.6 for RHEL 8 - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. \n\nThis release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for\nRed Hat JBoss Web Server 5.5.0. This release includes bug fixes,\nenhancements and component upgrades, which are documented in the Release\nNotes, linked to in the References. \n\nSecurity Fix(es):\n\n* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could\nlead to DoS (CVE-2021-42340)\n* tomcat: HTTP request smuggling when used with a reverse proxy\n(CVE-2021-33037)\n* tomcat: JNDI realm authentication weakness (CVE-2021-30640)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy\n1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness\n2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS\n\n6. Package List:\n\nRed Hat JBoss Web Server 5.6 for RHEL 7 Server:\n\nSource:\njws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.src.rpm\njws5-tomcat-native-1.2.30-3.redhat_3.el7jws.src.rpm\njws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.src.rpm\n\nnoarch:\njws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-java-jdk11-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-java-jdk8-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-lib-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm\njws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm\n\nx86_64:\njws5-tomcat-native-1.2.30-3.redhat_3.el7jws.x86_64.rpm\njws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el7jws.x86_64.rpm\n\nRed Hat JBoss Web Server 5.6 for RHEL 8:\n\nSource:\njws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.src.rpm\njws5-tomcat-native-1.2.30-3.redhat_3.el8jws.src.rpm\njws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.src.rpm\n\nnoarch:\njws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-lib-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm\njws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm\n\nx86_64:\njws5-tomcat-native-1.2.30-3.redhat_3.el8jws.x86_64.rpm\njws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el8jws.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-30640\nhttps://access.redhat.com/security/cve/CVE-2021-33037\nhttps://access.redhat.com/security/cve/CVE-2021-42340\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYaaMntzjgjWX9erEAQibyg/9E3I1wMpKriqTZKlf1tGcPt4wShPVNKMh\nB4PC8t1vBZJZ2VBMrQJdmYBUKRn3mccCqUxd0ey/UfsacIoKvAACr18iXCxYc4cO\nMeNqy7SWRO+Kwze2fYpBu7w5dR34yhUQAN8DAOui7DduZsS209X7WhShrLSjzF5j\ng+nhRCi4l5QRwcy7NF4TAhmAN7f819BwDHQJI/ttaOHqEwsDnOlPNKbV0X4Hlkf5\n5VRD/8ArImD7tqpSs/9YVh34MJLCVmVkWgHBDY0I06LcRSQJoRBZDEkoPRHQxU26\nhKH5oDaVezm92RFFqfwo2HHY6eGJc/qTTcd/WeW4RDfx49+ARsOt2kvO2XcEo45A\niUue2MayqnfdQHRI7MMNaaWoNudI2MVBcbQYhkTZcgApZEmtCe4taeo0YUvFqUeJ\nN1Awh8QIN5vqA7wKdtrHiQCMx/6/fqi3VtKN3LZEuUiRMM/sueqc1yob6piuU4Vk\nnyHP0ULSyMYnrzoqKN1BwbobRYyXKbVR376qMtxhLMe71PXg26TgDC9seUnooNum\nXgcRIdc7Q2WyGaFLxGE5fS0/7FagX/etRlg9DIHi27NVl0WXgmFVLC2ZumjfSoms\nFgQUTPwa2Bt90Oat2u7vnB5MBvCR0+OAAsM8TK/cn/31F697MMTI6Qloiq2DDOt4\n2c2PkIZ6XrY=6RkQ\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. \n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 9.0.43-2~deb11u3. \n\nWe recommend that you upgrade your tomcat9 packages. \n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGOe15fFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeRMcA/7BuGjRiyZnyDtGXxmq2Uew/62TR+u8WaZx6WC6mBNJgYvB1CHEap6+2EY\nYlFDiddqSC14tPAf+8gOWLVI1CzaWYtGYe8NjRpr6MjnUMfWonHnQn1SqDL8pORb\nyXLReYESx/YlvUs8+ZRsSoD5H0kFFA+6wYbeZ8gUcuyaV9hzRYDp3ATMAQCLL3RT\nobSBRpDv+0izjrCZqrcaLX0nBLK7YX/cEpGpT0xCqL6qkuDOVvLxtoc2HBCvYXsd\ni+9CL6sHzegCqzSypO+GTyOl815IF7BpqOTWm6JmqKDigQu6s432oT2o3Myex5+w\nCILS2jQaOLlf3nf9tGhbVDv6UougC27fXlkhopmBpINyKelX08Zazltsu86Wy2Zi\nO7eDLVQxeeSU7cgFBUoVwXouAG8vgfVw1cczYFE3O7Lj183pC3XS/HI+u3vGtooj\nLStn5jKDPI/vjAzaYk7sLH/OjDzmYXWX9/xQ0UpINK7I93CazE4toOjP0MlRMbZY\nMNm+KgKLD7ge1fzuZEyxmDempH5nsOcCz1I/xJ9O/gdpJOGAHg6Nu5FT+ceU6OeH\nlmY2BdUf46KYQO12wjs1VuapDwubiURGndA2F95aohxVV6QjsawKwJ9FLUKA+z6P\nTaTWS8DO8z9DAzA7IIAxuS9P0v4Hnr0L9ikldO1WMYQgOu5bLCI=\n=wISU\n-----END PGP SIGNATURE-----\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202208-34\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Low\n Title: Apache Tomcat: Multiple Vulnerabilities\n Date: August 21, 2022\n Bugs: #773571, #801916, #818160, #855971\n ID: 202208-34\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been discovered in Apache Tomcat, the\nworst of which could result in denial of service. \n\nAffected packages\n================\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 www-servers/tomcat \u003c 8.5.82:8.5 \u003e= 8.5.82:8.5\n \u003c 9.0.65:9 \u003e= 9.0.65:9\n \u003c 10.0.23:10 \u003e= 10.0.23:10\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in Apache Tomcat. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Apache Tomcat 10.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-10.0.23:10\"\n\nAll Apache Tomcat 9.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-9.0.65:9\"\n\nAll Apache Tomcat 8.5.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-8.5.82:8.5\"\n\nReferences\n=========\n[ 1 ] CVE-2021-25122\n https://nvd.nist.gov/vuln/detail/CVE-2021-25122\n[ 2 ] CVE-2021-25329\n https://nvd.nist.gov/vuln/detail/CVE-2021-25329\n[ 3 ] CVE-2021-30639\n https://nvd.nist.gov/vuln/detail/CVE-2021-30639\n[ 4 ] CVE-2021-30640\n https://nvd.nist.gov/vuln/detail/CVE-2021-30640\n[ 5 ] CVE-2021-33037\n https://nvd.nist.gov/vuln/detail/CVE-2021-33037\n[ 6 ] CVE-2021-42340\n https://nvd.nist.gov/vuln/detail/CVE-2021-42340\n[ 7 ] CVE-2022-34305\n https://nvd.nist.gov/vuln/detail/CVE-2022-34305\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202208-34\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. The purpose of this text-only errata is to inform you about the\nsecurity issues fixed in this release. \n\nInstallation instructions are available from the Fuse 7.11.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/\n\n4", "sources": [ { "db": "NVD", "id": "CVE-2021-42340" }, { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULHUB", "id": "VHN-397706" }, { "db": "VULMON", "id": "CVE-2021-42340" }, { "db": "PACKETSTORM", "id": "166707" }, { "db": "PACKETSTORM", "id": "165117" }, { "db": "PACKETSTORM", "id": "165112" }, { "db": "PACKETSTORM", "id": "169152" }, { "db": "PACKETSTORM", "id": "168127" }, { "db": "PACKETSTORM", "id": "167841" } ], "trust": 2.16 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-42340", "trust": 3.0 }, { "db": "MCAFEE", "id": "SB10379", "trust": 1.8 }, { "db": "PACKETSTORM", "id": "165112", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "168127", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202110-1057", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "166707", "trust": 0.7 }, { "db": "CNVD", "id": "CNVD-2021-83785", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022042265", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021113014", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072010", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021111711", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022041951", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022070601", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021110507", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021101507", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072030", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012770", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.4028", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3418", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3880", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.1837", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "165117", "trust": 0.2 }, { "db": "VULHUB", "id": "VHN-397706", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2021-42340", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "169152", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "167841", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULHUB", "id": "VHN-397706" }, { "db": "VULMON", "id": "CVE-2021-42340" }, { "db": "PACKETSTORM", "id": "166707" }, { "db": "PACKETSTORM", "id": "165117" }, { "db": "PACKETSTORM", "id": "165112" }, { "db": "PACKETSTORM", "id": "169152" }, { "db": "PACKETSTORM", "id": "168127" }, { "db": "PACKETSTORM", "id": "167841" }, { "db": "CNNVD", "id": "CNNVD-202110-1057" }, { "db": "NVD", "id": "CVE-2021-42340" } ] }, "id": "VAR-202110-1693", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULHUB", "id": "VHN-397706" } ], "trust": 0.06999999999999999 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" } ] }, "last_update_date": "2024-11-23T20:01:02.611000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Patch for Apache Tomcat Resource Management Error Vulnerability (CNVD-2021-83785)", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/296691" }, { "title": "Apache Tomcat Remediation of resource management error vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166768" }, { "title": "Debian Security Advisories: DSA-5009-1 tomcat9 -- security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=00ce291d41f0bec40669f5cb28c4ff5a" }, { "title": "Amazon Linux AMI: ALAS-2021-1546", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1546" }, { "title": "Red Hat: Important: Red Hat support for Spring Boot 2.5.10 update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221179 - Security Advisory" }, { "title": "Red Hat: CVE-2021-42340", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-42340" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-42340 log" }, { "title": "Red Hat: Important: Red Hat Fuse 7.11.0 release and security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225532 - Security Advisory" }, { "title": "", "trust": 0.1, "url": "https://github.com/Live-Hack-CVE/CVE-2021-42340 " }, { "title": "awesome-websocket-security", "trust": 0.1, "url": "https://github.com/PalindromeLabs/awesome-websocket-security " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULMON", "id": "CVE-2021-42340" }, { "db": "CNNVD", "id": "CNNVD-202110-1057" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-772", "trust": 1.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-397706" }, { "db": "NVD", "id": "CVE-2021-42340" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "trust": 1.9, "url": "https://www.debian.org/security/2021/dsa-5009" }, { "trust": 1.9, "url": "https://security.gentoo.org/glsa/202208-34" }, { "trust": 1.8, "url": "https://security.netapp.com/advisory/ntap-20211104-0001/" }, { "trust": 1.8, "url": "https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3cannounce.tomcat.apache.org%3e" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "trust": 1.7, "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10379" }, { "trust": 1.2, "url": "https://vigilance.fr/vulnerability/apache-tomcat-memory-leak-via-websocket-http-upgrade-connections-metrics-36659" }, { "trust": 1.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-42340" }, { "trust": 1.0, "url": "https://access.redhat.com/security/cve/cve-2021-42340" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3ccommits.myfaces.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784@%3ccommits.myfaces.apache.org%3e" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6518310" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6524338" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021113014" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022042265" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/166707/red-hat-security-advisory-2022-1179-01.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021110507" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072030" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/165112/red-hat-security-advisory-2021-4863-06.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022041951" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3418" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021111711" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3880" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.4028" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021101507" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/168127/gentoo-linux-security-advisory-202208-34.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.1837" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012770" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb20220720102" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022070601" }, { "trust": 0.4, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.4, "url": "https://access.redhat.com/security/cve/cve-2021-33037" }, { "trust": 0.4, "url": "https://access.redhat.com/security/cve/cve-2021-30640" }, { "trust": 0.4, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.4, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33037" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30640" }, { "trust": 0.4, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-3859" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-3642" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-3629" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-41079" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-25122" }, { "trust": 0.1, "url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10379" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/772.html" }, { "trust": 0.1, "url": "https://github.com/live-hack-cve/cve-2021-42340" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://security.archlinux.org/cve-2021-42340" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20289" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3859" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3597" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-20289" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3597" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product\\xcatrhoar.spring.boot\u0026version=2.5.10" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3629" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3642" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:1179" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41079" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:4861" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.1, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:4863" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/tomcat9" }, { "trust": 0.1, "url": "https://www.debian.org/security/" }, { "trust": 0.1, "url": "https://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "https://security.gentoo.org/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-34305" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-25329" }, { "trust": 0.1, "url": "https://bugs.gentoo.org." }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30639" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-29582" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-40690" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0084" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25122" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-25845" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22060" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22573" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-2471" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-26336" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22119" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-24122" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22569" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22970" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.11.0" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-7020" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22119" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23913" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-35517" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-35516" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33813" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-21724" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22950" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22932" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-30126" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22978" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25329" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4178" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22971" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22096" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3807" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-38153" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-15250" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23181" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36518" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-15250" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43797" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22096" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22976" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22573" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7020" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22968" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-1319" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24614" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25689" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22569" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23596" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-25689" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-24122" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-36090" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23221" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22060" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-21363" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-9484" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43859" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-26520" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-2471" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42550" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9484" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41766" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-29505" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-29582" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-36518" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-1259" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-35515" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:5532" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3644" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULHUB", "id": "VHN-397706" }, { "db": "VULMON", "id": "CVE-2021-42340" }, { "db": "PACKETSTORM", "id": "166707" }, { "db": "PACKETSTORM", "id": "165117" }, { "db": "PACKETSTORM", "id": "165112" }, { "db": "PACKETSTORM", "id": "169152" }, { "db": "PACKETSTORM", "id": "168127" }, { "db": "PACKETSTORM", "id": "167841" }, { "db": "CNNVD", "id": "CNNVD-202110-1057" }, { "db": "NVD", "id": "CVE-2021-42340" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2021-83785" }, { "db": "VULHUB", "id": "VHN-397706" }, { "db": "VULMON", "id": "CVE-2021-42340" }, { "db": "PACKETSTORM", "id": "166707" }, { "db": "PACKETSTORM", "id": "165117" }, { "db": "PACKETSTORM", "id": "165112" }, { "db": "PACKETSTORM", "id": "169152" }, { "db": "PACKETSTORM", "id": "168127" }, { "db": "PACKETSTORM", "id": "167841" }, { "db": "CNNVD", "id": "CNNVD-202110-1057" }, { "db": "NVD", "id": "CVE-2021-42340" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-10-18T00:00:00", "db": "CNVD", "id": "CNVD-2021-83785" }, { "date": "2021-10-14T00:00:00", "db": "VULHUB", "id": "VHN-397706" }, { "date": "2021-10-14T00:00:00", "db": "VULMON", "id": "CVE-2021-42340" }, { "date": "2022-04-13T15:02:31", "db": "PACKETSTORM", "id": "166707" }, { "date": "2021-12-01T16:38:47", "db": "PACKETSTORM", "id": "165117" }, { "date": "2021-12-01T16:37:47", "db": "PACKETSTORM", "id": "165112" }, { "date": "2021-11-28T20:12:00", "db": "PACKETSTORM", "id": "169152" }, { "date": "2022-08-22T16:02:30", "db": "PACKETSTORM", "id": "168127" }, { "date": "2022-07-27T17:27:19", "db": "PACKETSTORM", "id": "167841" }, { "date": "2021-10-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202110-1057" }, { "date": "2021-10-14T20:15:09.060000", "db": "NVD", "id": "CVE-2021-42340" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-11-04T00:00:00", "db": "CNVD", "id": "CNVD-2021-83785" }, { "date": "2022-10-27T00:00:00", "db": "VULHUB", "id": "VHN-397706" }, { "date": "2022-10-27T00:00:00", "db": "VULMON", "id": "CVE-2021-42340" }, { "date": "2022-08-23T00:00:00", "db": "CNNVD", "id": "CNNVD-202110-1057" }, { "date": "2024-11-21T06:27:38.363000", "db": "NVD", "id": "CVE-2021-42340" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-1057" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Apache Tomcat Resource Management Error Vulnerability (CNVD-2021-83785)", "sources": [ { "db": "CNVD", "id": "CNVD-2021-83785" } ], "trust": 0.6 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "resource management error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-1057" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.