CVE-2021-43980 Apache Tomcat - Information Disclosure
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M12
Apache Tomcat 10.0.0-M1 to 10.0.18
Apache Tomcat 9.0.0-M1 to 9.0.60
Apache Tomcat 8.5.0 to 8.5.77
Description:
The simplified implementation of blocking reads and writes introduced in
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long
standing (but extremely hard to trigger) concurrency bug that could
cause client connections to share an Http11Processor instance resulting
in responses, or part responses, to be received by the wrong client.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M14 or later once released
- Upgrade to Apache Tomcat 10.0.20 or later once released
- Upgrade to Apache Tomcat 9.0.62 or later once released
- Upgrade to Apache Tomcat 8.5.78 or later once released
- Note 10.1.0-M13, 10.0.19 and 9.0.61 were not released
Credit:
Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for
discovering the issue and working with the Tomcat security team to
identify the root cause and appropriate fix.
History:
2022-09-28 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
