Infinite loop in Apache Tomcat

#VU56634 Infinite loop in Apache Tomcat

Published: 2021-09-15

Vulnerability identifier: #VU56634

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41079

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing certain TLS packets. A remote attacker can send a specially crafted packet to the application, consume all available system resources and cause denial of service conditions.

Successful exploitation of vulnerability requires that Apache Tomcat is configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Tomcat: 10.0.0 - 10.0.2, 9.0.0 - 9.0.43, 8.5.0 - 8.5.63

CPE

cpe:2.3:a:apache_foundation:apache_tomcat:10.0.2:*:*:*:*:*:*:*

External links
http://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in DELL Secure Connect Gateway Security

Ubuntu update for tomcat9

Multiple vulnerabilities in IBM UrbanCode Release

SUSE update for tomcat

Amazon Linux AMI update for tomcat8

SUSE update for tomcat

Debian update for tomcat9

Denial of service in Red Hat JBoss Web Server