CVE-2021-41079

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

References

https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2021/09/msg00012.html

https://security.netapp.com/advisory/ntap-20211008-0005/

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://www.debian.org/security/2021/dsa-4986

Details

Source: MITRE

Published: 2021-09-16

Updated: 2021-10-15

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (9 total)

IDNameProductFamilySeverity
154177Debian DSA-4986-1 : tomcat9 - security updateNessusDebian Local Security Checks
medium
153988Photon OS 3.0: Apache PHSA-2021-3.0-0312NessusPhotonOS Local Security Checks
high
153938Photon OS 1.0: Apache PHSA-2021-1.0-0438NessusPhotonOS Local Security Checks
high
153928Photon OS 2.0: Apache PHSA-2021-2.0-0401NessusPhotonOS Local Security Checks
high
153902RHEL 7 : Red Hat JBoss Web Server 5.5.1 Security Update (Important) (RHSA-2021:3741)NessusRed Hat Local Security Checks
high
153601Debian DLA-2764-1 : tomcat8 - LTS security updateNessusDebian Local Security Checks
high
701366Apache Tomcat < 8.5.64 VulnerabilityNessus Network MonitorWeb Servers
medium
701365Apache Tomcat < 9.0.44 VulnerabilityNessus Network MonitorWeb Servers
medium
701364Apache Tomcat < 10.0.4 VulnerabilityNessus Network MonitorWeb Servers
medium