Hello all, we use tomcat 9.0.62 in our environment and most likely hit the bug from CVE-2021-43980 (which should be fixed in this version).
Why do we think that we hit this bug? * Since we refactored some e2e tests one test regularly fails because the client receives packets that should never be received by this client. The received packets belong to another TCP connection. * We did a wireshark dump and can confirm that the packets were sent by tomcat. For a period of 4msec some packets are routed "into the wrong TCP connection" by tomcat. * The bug seems to be triggered by some special timing + parallel processing situation. * In the first step we assumed to hit a bug in AWS environment or TCP/IP stack but then found the bug report for tomcat. * We used tomcat 9.0.60 when hitting the bug. By upgrading to 9.0.62 the bug kept appearing. Even 9.0.70 the bug exists. * We replaced tomcat with undertow and all e2e tests run fine. >From our point of view, we have an environment/configuration which triggers >this bug very often 100%). If you need anybody to test further fixes, then we can help you. Please let us know. Best regards, Martin Garbe
