Description

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Related CPE's

a

apache

tomcat

9

a

netapp

hci

-

Vulnerable

a

netapp

management_services_for_element_software

-

Vulnerable

o

debian

debian_linux

11.0

Vulnerable

a

oracle

agile_engineering_data_management

6.2.1.0

Vulnerable

a

oracle

big_data_spatial_and_graph

Vulnerable

a

oracle

communications_diameter_signaling_router

Vulnerable

a

oracle

hospitality_cruise_shipboard_property_management_system

20.1.0

Vulnerable

a

oracle

managed_file_transfer

2

a

oracle

middleware_common_libraries_and_tools

12.2.1.4.0

Vulnerable

a

oracle

payment_interface

2

a

oracle

retail_customer_insights

2

a

oracle

retail_data_extractor_for_merchandising

2

a

oracle

retail_eftlink

21.0.0

Vulnerable

a

oracle

retail_financial_integration

2

a

oracle

retail_store_inventory_management

6

a

oracle

sd-wan_edge

2

a

oracle

taleo_platform

Vulnerable

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10379

Third Party Advisory

https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E

https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E

Mailing ListVendor Advisory

https://security.gentoo.org/glsa/202208-34

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211104-0001/

Third Party Advisory

https://www.debian.org/security/2021/dsa-5009

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

PatchThird Party Advisory

https://kc.mcafee.com/corporate/index?page=content&id=SB10379

Third Party Advisory

https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E

https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E

Mailing ListVendor Advisory

https://security.gentoo.org/glsa/202208-34

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211104-0001/

Third Party Advisory

https://www.debian.org/security/2021/dsa-5009

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

PatchThird Party Advisory

Weaknesses

[email protected]

Secondary
CWE-772

[email protected]

Primary
CWE-772

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 · High

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-10-14T18:15:09.060Z

4 years ago

Last modified

2024-11-21T05:27:38.363Z

1 year ago