https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E

[debian-lts-announce] 20210922 [SECURITY] [DLA 2764-1] tomcat8 security update

https://security.netapp.com/advisory/ntap-20211008-0005/

[tomcat-users] 20211014 [SECURITY] CVE-2021-42340 Apache Tomcat DoS

[tomcat-dev] 20211014 [SECURITY] CVE-2021-42340 Apache Tomcat DoS

DSA-4986

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4986 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the apache package has been released.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:3741 advisory.

  - tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine     (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2764 advisory.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 8.5.64. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.64_security-8 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.44. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.44_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.0.4. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.4_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
154177	Debian DSA-4986-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	medium
153988	Photon OS 3.0: Apache PHSA-2021-3.0-0312	Nessus	PhotonOS Local Security Checks	high
153938	Photon OS 1.0: Apache PHSA-2021-1.0-0438	Nessus	PhotonOS Local Security Checks	high
153928	Photon OS 2.0: Apache PHSA-2021-2.0-0401	Nessus	PhotonOS Local Security Checks	high
153902	RHEL 7 : Red Hat JBoss Web Server 5.5.1 Security Update (Important) (RHSA-2021:3741)	Nessus	Red Hat Local Security Checks	high
153601	Debian DLA-2764-1 : tomcat8 - LTS security update	Nessus	Debian Local Security Checks	high
701366	Apache Tomcat < 8.5.64 Vulnerability	Nessus Network Monitor	Web Servers	medium
701365	Apache Tomcat < 9.0.44 Vulnerability	Nessus Network Monitor	Web Servers	medium
701364	Apache Tomcat < 10.0.4 Vulnerability	Nessus Network Monitor	Web Servers	medium

CVE-2021-41079

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

high

high

high

high

high

medium

medium

medium