CVE number – CVE-2021-42340
The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat.
An attacker could exploit this vulnerability to cause a denial of service condition.
The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 10.1.0-M6 or later
- Upgrade to Apache Tomcat 10.0.12 or later
- Upgrade to Apache Tomcat 9.0.54 or later
- Upgrade to Apache Tomcat 8.5.72 or later
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.