logo
DATABASE RESOURCES PRICING ABOUT US

Upgrade the bundled version of Apache Tomcat to 8.5.68 or later

Description

h3. Issue Summary The recently disclosed vulnerability regarding Apache Tomcat * [CVE-2021-33037|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037], [CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037] (Base Score: 5.3 MEDIUM) * [CVE-2021-42340|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340] (NVD score not yet provided.) {quote}The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. {quote} affects the following versions: * Apache Tomcat 10.0.0-M1 to 10.0.6 * Apache Tomcat 9.0.0.M1 to 9.0.53 * Apache Tomcat 8.5.60 to 8.5.71 We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future. Current bundled version of Tomcat *8.5.68* h3. Steps to Reproduce * Check the CVE reports: ** [CVE-2021-33037|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037] h3. Expected Results * Not applicable. h3. Actual Results * Not applicable. h3. Workaround * Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html]. h3. Note on fix Jira 8.21.0 is shipped with Apache Tomcat 8.5.72


Affected Software


CPE Name Name Version
jira server and data center 8.5.1
jira server and data center 8.17.1
jira server and data center 8.5.19
jira server and data center 8.13.11
jira server and data center 8.19.1
jira server and data center 8.20.0
jira server and data center 8.20.1
jira server and data center 8.20.2
jira server and data center 8.21.0
jira server and data center 8.13.18
jira server and data center 8.20.6

Related