tomcat -- Remote Denial of Service in multiple versions

2021-03-2400:00:00

vuxml.freebsd.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.013 Low

EPSS

Percentile

85.8%

JSON

rbeaudry reports:

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchtomcat85= 8.5.64UNKNOWN
FreeBSDanynoarchtomcat9= 9.0.44UNKNOWN
FreeBSDanynoarchtomcat10= 10.0.3UNKNOWN
FreeBSDanynoarchtomcat10<= 10.0.4UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	tomcat85	= 8.5.64	UNKNOWN
FreeBSD	any	noarch	tomcat9	= 9.0.44	UNKNOWN
FreeBSD	any	noarch	tomcat10	= 10.0.3	UNKNOWN
FreeBSD	any	noarch	tomcat10	<= 10.0.4	UNKNOWN