CVE-2021-42340 — HIGH (7.5)

Q: How severe is CVE-2021-42340?

CVE-2021-42340 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-42340?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Netapp Hci, Netapp Management Services For Element Software, Debian Debian Linux, Oracle Agile Engineering Data Management.

Vulnerability Description

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 8.5.60, < 8.5.72
Netapp	Hci	-
Netapp	Management Services For Element Software	-
Debian	Debian Linux	11.0
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Big Data Spatial And Graph	< 23.1
Oracle	Communications Diameter Signaling Router	>= 8.0.0.0, <= 8.5.0.2
Oracle	Hospitality Cruise Shipboard Property Management System	20.1.0
Oracle	Managed File Transfer	12.2.1.3.0
Oracle	Middleware Common Libraries And Tools	12.2.1.4.0
Oracle	Payment Interface	19.1
Oracle	Retail Customer Insights	15.0.2
Oracle	Retail Data Extractor For Merchandising	15.0.2
Oracle	Retail Eftlink	21.0.0
Oracle	Retail Financial Integration	16.0.1
Oracle	Retail Store Inventory Management	14.0.4.13
Oracle	Sd-Wan Edge	9.0
Oracle	Taleo Platform	All versions

Related Weaknesses (CWE)

CWE-772

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10379Third Party Advisory
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57cedMailing ListVendor Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0001/Third Party Advisory
https://www.debian.org/security/2021/dsa-5009Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10379Third Party Advisory
https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57cedMailing ListVendor Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0001/Third Party Advisory
https://www.debian.org/security/2021/dsa-5009Third Party Advisory

FAQ

What is CVE-2021-42340?

CVE-2021-42340 is a vulnerability with a CVSS score of 7.5 (HIGH). The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics fo...

How severe is CVE-2021-42340?

CVE-2021-42340 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-42340?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Netapp Hci, Netapp Management Services For Element Software, Debian Debian Linux, Oracle Agile Engineering Data Management.