Skip to main content

CVE-2021-43980

Severity

5.3

Description

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Project

Apache Tomcat

Apache TomEE

Category
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Tags
data
operational
Date Disclosed

2022-09-28

Date Discovered

2021-11-17

Apache TomEE 8.0.x

First release:
2019-09-13
CVEs:
74
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.1.x

First release:
2018-09-02
CVEs:
68
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.