CVE-2021-41079 Apache Tomcat DoS with unexpected TLS packet

2021-09-1614:40:25

CWE-20

apache

www.cve.org

7.7 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.0%

JSON

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Tomcat 8.5 8.5.0 to 8.5.63"
      },
      {
        "status": "affected",
        "version": "Apache Tomcat 9 9.0.0-M1 to 9.0.43"
      },
      {
        "status": "affected",
        "version": "Apache Tomcat 10 10.0.0-M1 to 10.0.2"
      }
    ]
  }
]