tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from...

undertow: buffer leak on incoming websocket PONG message may lead to DoS

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability...

[SECURITY] [DSA 5009-1] tomcat9 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5009-1 [email protected] https://www.debian.org/security/ Markus Koschany November 12, 2021 https://www.debian.org/security/faq -...

OESA-2021-1413 tomcat security update

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open developmen...

NewStart CGSL CORE 5.05 / MAIN 5.05 : libvncserver Vulnerability (NS-SA-2021-0135)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libvncserver packages installed that are affected by a vulnerability: - It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploi...

NewStart CGSL CORE 5.05 / MAIN 5.05 : tomcat Multiple Vulnerabilities (NS-SA-2021-0144)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has tomcat packages installed that are affected by multiple vulnerabilities: - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacke...

PurpleFox Adds New Backdoor That Uses WebSockets

In September 2021, the Trend Micro Managed XDR MDR team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability CVE-2021-1732 and optimized rootkit capabilities leveraged in their attac...

GHSA-WPH7-X527-W3H5 Missing Release of Resource after Effective Lifetime in Apache Tomcat

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

Denial Of Service (DoS)

tomcat-websocket is vulnerable to denial of service DoS attacks. An out of memory OOM occurs as the internal upgrade handler doesn't close the associated web connection on destroy causing an application crash...

CVE-2021-42340

A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from...

Apache Tomcat 10.0.0-M10 < 10.0.12 Denial of Service

The version of Apache Tomcat installed on the remote host is 10.1.0-M1 to 10.1.0-M5, 10.0.0-M10 to 10.0.11, 9.0.40 to 9.0.53 or 8.5.60 to 8.5.71. It is, therefore, affected by a denial of service. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket...

Apache Tomcat 10.1.0-M1 < 10.1.0-M6 Denial of Service

The version of Apache Tomcat installed on the remote host is 10.1.0-M1 to 10.1.0-M5, 10.0.0-M10 to 10.0.11, 9.0.40 to 9.0.53 or 8.5.60 to 8.5.71. It is, therefore, affected by a denial of service. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket...

Apache Tomcat 8.5.60 < 8.5.72 Denial of Service

The version of Apache Tomcat installed on the remote host is 10.1.0-M1 to 10.1.0-M5, 10.0.0-M10 to 10.0.11, 9.0.40 to 9.0.53 or 8.5.60 to 8.5.71. It is, therefore, affected by a denial of service. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket...

DEBIAN-CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

Memory corruption

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

UBUNTU-CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

CVE-2021-42340

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

CVE-2021-42340 DoS via memory leak with WebSocket connections

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was...

Apache Tomcat 10.0.0.M10 < 10.0.12

The version of Tomcat installed on the remote host is prior to 10.0.12. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat10.0.12security-10 advisory. - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.5...