CVE-2021-30639 — HIGH (7.5)

Q: How severe is CVE-2021-30639?

CVE-2021-30639 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-30639?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Mcafee Epolicy Orchestrator, Oracle Big Data Spatial And Graph.

Vulnerability Description

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tomcat	8.5.64
Mcafee	Epolicy Orchestrator	< 5.10.0
Oracle	Big Data Spatial And Graph	< 23.1

Related Weaknesses (CWE)

CWE-755

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2
https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527bMailing ListVendor Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2
https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527bMailing ListVendor Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-30639?

CVE-2021-30639 is a vulnerability with a CVSS score of 7.5 (HIGH). A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the er...

How severe is CVE-2021-30639?

CVE-2021-30639 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-30639?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Mcafee Epolicy Orchestrator, Oracle Big Data Spatial And Graph.