Apache Tomcat – Denial of service vulnerability [CVE-2021-42340]

CVE number – CVE-2021-42340

The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat.

An attacker could exploit this vulnerability to cause a denial of service condition.

The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Users of the affected versions should apply one of the following

  • Upgrade to Apache Tomcat 10.1.0-M6 or later
  • Upgrade to Apache Tomcat 10.0.12 or later
  • Upgrade to Apache Tomcat 9.0.54 or later
  • Upgrade to Apache Tomcat 8.5.72 or later


Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: