Important: tomcat8

2021-10-2623:35:00

alas.aws.amazon.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.7%

JSON

Issue Overview:

A flaw was found in Apache Tomcat. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can trigger an infinite loop, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-41079)

Affected Packages:

tomcat8

Issue Correction:
Run yum update tomcat8 to update your system.

New Packages:

noarch:  
    tomcat8-el-3.0-api-8.5.69-1.88.amzn1.noarch  
    tomcat8-docs-webapp-8.5.69-1.88.amzn1.noarch  
    tomcat8-jsp-2.3-api-8.5.69-1.88.amzn1.noarch  
    tomcat8-javadoc-8.5.69-1.88.amzn1.noarch  
    tomcat8-lib-8.5.69-1.88.amzn1.noarch  
    tomcat8-servlet-3.1-api-8.5.69-1.88.amzn1.noarch  
    tomcat8-8.5.69-1.88.amzn1.noarch  
    tomcat8-admin-webapps-8.5.69-1.88.amzn1.noarch  
    tomcat8-log4j-8.5.69-1.88.amzn1.noarch  
    tomcat8-webapps-8.5.69-1.88.amzn1.noarch  
  
src:  
    tomcat8-8.5.69-1.88.amzn1.src

Additional References

Red Hat: CVE-2021-41079

Mitre: CVE-2021-41079

OSVersionArchitecturePackageVersionFilename
Amazon Linux1noarchtomcat8-el-3.0-api< 8.5.69-1.88.amzn1tomcat8-el-3.0-api-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-docs-webapp< 8.5.69-1.88.amzn1tomcat8-docs-webapp-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-jsp-2.3-api< 8.5.69-1.88.amzn1tomcat8-jsp-2.3-api-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-javadoc< 8.5.69-1.88.amzn1tomcat8-javadoc-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-lib< 8.5.69-1.88.amzn1tomcat8-lib-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-servlet-3.1-api< 8.5.69-1.88.amzn1tomcat8-servlet-3.1-api-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8< 8.5.69-1.88.amzn1tomcat8-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-admin-webapps< 8.5.69-1.88.amzn1tomcat8-admin-webapps-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-log4j< 8.5.69-1.88.amzn1tomcat8-log4j-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux1noarchtomcat8-webapps< 8.5.69-1.88.amzn1tomcat8-webapps-8.5.69-1.88.amzn1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	noarch	tomcat8-el-3.0-api	< 8.5.69-1.88.amzn1	tomcat8-el-3.0-api-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-docs-webapp	< 8.5.69-1.88.amzn1	tomcat8-docs-webapp-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-jsp-2.3-api	< 8.5.69-1.88.amzn1	tomcat8-jsp-2.3-api-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-javadoc	< 8.5.69-1.88.amzn1	tomcat8-javadoc-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-lib	< 8.5.69-1.88.amzn1	tomcat8-lib-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-servlet-3.1-api	< 8.5.69-1.88.amzn1	tomcat8-servlet-3.1-api-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8	< 8.5.69-1.88.amzn1	tomcat8-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-admin-webapps	< 8.5.69-1.88.amzn1	tomcat8-admin-webapps-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-log4j	< 8.5.69-1.88.amzn1	tomcat8-log4j-8.5.69-1.88.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat8-webapps	< 8.5.69-1.88.amzn1	tomcat8-webapps-8.5.69-1.88.amzn1.noarch.rpm