Fixed in Apache Tomcat 9.0.44

Important: Denial of Service CVE-2021-41079

When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

This was fixed with commit d4b340fa.

This issue was first reported to the Apache Tomcat Security Team by Thomas Wozenilek on 26 February 2021 but could not be confirmed. A speculative fix was applied on 3 March 2021. On 14 September 2021 David Frankson of Infinite Campus independently reported the issue and included a test case. This allowed both the issue and the speculative fix to be verified. The issue was made public on 15 September 2021.

Affects: 9.0.0-M1 to 9.0.43

Important: Information Disclosure CVE-2024-21733

Incomplete POST requests triggered an error response that could contain data from a previous request from another user.

This was fixed with commit 86ccc439.

This issue was reported to the Apache Tomcat Security Team by xer0dayz from Sn1perSecurity LLC on 20 December 2023. The issue was made public on 19 January 2024.

Affects: 9.0.0-M11 to 9.0.43