Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError

h3. Issue Summary
Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError (Base Score: 7.5 HIGH)
bq. The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The recently disclosed vulnerability regarding Tomcat [CVE-2021-42340|https://nvd.nist.gov/vuln/detail/CVE-2021-42340] affects the following versions:

• Apache Tomcat 8.5.60 to 8.5.71
• Apache Tomcat 9.0.40 to 9.0.53
• Apache Tomcat 10.0.0-M10 to 10.0.11

Mitigation:
Users of the affected versions should apply one of the following mitigations:

• Upgrade to Apache Tomcat 8.5.72 or later
• Upgrade to Apache Tomcat 9.0.54 or later
• Upgrade to Apache Tomcat 10.0.12 or later
• Upgrade to Apache Tomcat 10.1.0-M6 or later

h3. Steps to Reproduce

See more at: [https://nvd.nist.gov/vuln/detail/CVE-2021-42340] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340]
h3. Expected Results

• Not applicable.

h3. Actual Results

• Not applicable.

Affected Jira versions:
8.15 to 8.19

h3. Workaround

• You can manually upgrade the Apache Tomcat version used by Jira following the procedures outlined in the following article: [How to Upgrade Apache Tomcat version in Jira|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-in-jira-7-x-879957866.html].