The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The version of tomcat installed on the remote host is prior to 9.0.54-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT9-2023-006 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 8.5.72-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT8.5-2023-006 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-34 (Apache Tomcat: Multiple Vulnerabilities)

  - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to     9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one     request to another meaning user A and user B could both see the results of user A's request.
    (CVE-2021-25122)

  - The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to     9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be     used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published     prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to     this issue. (CVE-2021-25329)

  - A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error     introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag     associated with the Request object was not reset between requests. This meant that once a non-blocking I/O     error occurred, all future requests handled by that request object would fail. Users were able to trigger     non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a     DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue     affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

  - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the     Form authentication example in the examples web application displayed user provided data without     filtering, exposing a XSS vulnerability. (CVE-2022-34305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira installed on the remote host is prior to 8.13.18 / 8.14.0 < 8.20.6 / 8.21.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-73070 advisory.

  - Denial of service via an OutOfMemoryError (Tomcat CVE-2021-42340) (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory.

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Apache Log4j)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL     Enterprise Monitor. (CVE-2022-23305)

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Spring Framework)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL     Enterprise Monitor. (CVE-2022-22965)

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Apache Tomcat)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor. (CVE-2021-42340)

  - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General     (Spring Framework)). Supported versions that are affected are 8.0.29 and prior. The patterns for     disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is     listed with both upper and lower case for the first character of the field, including upper and lower case for the      first character of all nested fields within the property path. (CVE-2022-22968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4861 advisory.

  - openssl: integer overflow in CipherUpdate (CVE-2021-23840)

  - openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841)

  - tomcat: JNDI realm authentication weakness (CVE-2021-30640)

  - tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)

  - openssl: Read buffer overruns processing ASN.1 strings (CVE-2021-3712)

  - tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the apache package has been released.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5009 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat8 installed on the remote host is prior to 8.5.72-1.89. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1546 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 10.1.0-M1 to 10.1.0-M5, 10.0.0-M10 to 10.0.11, 9.0.40 to 9.0.53 or 8.5.60 to 8.5.71. It is, therefore, affected by a denial of service. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.1.0-M6. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.0-m6_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.54. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.54_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.0.12. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.12_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 8.5.72. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.72_security-8 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.0.12. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.12_security-10 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.54. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.54_security-9 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.0.M6. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.0-m6_security-10 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.72. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.72_security-8 advisory.

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
182057	Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-006)	Nessus	Amazon Linux Local Security Checks	high
182005	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-006)	Nessus	Amazon Linux Local Security Checks	high
164611	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.3)	Nessus	Misc.	critical
164603	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1)	Nessus	Misc.	critical
164572	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1)	Nessus	Misc.	critical
164564	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.0.2.5)	Nessus	Misc.	critical
164434	GLSA-202208-34 : Apache Tomcat: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
162744	Atlassian Jira < 8.13.18 / 8.14.0 < 8.20.6 / 8.21.0 (JRASERVER-73070)	Nessus	CGI abuses	high
159917	Oracle MySQL Enterprise Monitor (Apr 2022 CPU)	Nessus	CGI abuses	critical
155756	RHEL 7 / 8 : Red Hat JBoss Web Server 5.6.0 Security release (Important) (RHSA-2021:4861)	Nessus	Red Hat Local Security Checks	medium
155327	Photon OS 4.0: Apache PHSA-2021-4.0-0126	Nessus	PhotonOS Local Security Checks	high
155317	Debian DSA-5009-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	high
154897	Amazon Linux AMI : tomcat8 (ALAS-2021-1546)	Nessus	Amazon Linux Local Security Checks	high
113020	Apache Tomcat 8.5.60 < 8.5.72 Denial of Service	Web App Scanning	Component Vulnerability	high
113019	Apache Tomcat 9.0.40 < 9.0.54 Denial of Service	Web App Scanning	Component Vulnerability	high
113018	Apache Tomcat 10.0.0-M10 < 10.0.12 Denial of Service	Web App Scanning	Component Vulnerability	high
113017	Apache Tomcat 10.1.0-M1 < 10.1.0-M6 Denial of Service	Web App Scanning	Component Vulnerability	high
701374	Apache Tomcat < 10.1.0-M6 Vulnerability	Nessus Network Monitor	Web Servers	medium
701373	Apache Tomcat < 9.0.54 Vulnerability	Nessus Network Monitor	Web Servers	medium
701372	Apache Tomcat < 10.0.12 Vulnerability	Nessus Network Monitor	Web Servers	medium
701371	Apache Tomcat < 8.5.72 Vulnerability	Nessus Network Monitor	Web Servers	medium
154151	Apache Tomcat 10.0.0.M10 < 10.0.12 vulnerability	Nessus	Web Servers	high
154150	Apache Tomcat 9.0.40 < 9.0.54 vulnerability	Nessus	Web Servers	high
154149	Apache Tomcat 10.1.0.M1 < 10.1.0.M6 vulnerability	Nessus	Web Servers	high
154147	Apache Tomcat 8.5.60 < 8.5.72 vulnerability	Nessus	Web Servers	high

Detections

Analytics

CVE-2021-42340

high

Tenable Plugins

high

high

critical

critical

critical

critical

high

high

critical

medium

high

high

high

high

high

high

high

medium

medium

medium

medium

high

high

high

high