Thomas Wozenilek

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 8.5.0 through 8.5.63 Apache Tomcat versions 9.0.0-M1 through 9.0.43 Apache Tomcat versions 10.0.0-M1 through 10.0.2 **Description** The issue arises from insufficient validation of incoming TLS packets. When configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can trigger an infinite loop, resulting in a denial of service. This can be exploited by a remote attacker to cause a denial of service using a specially crafted packet. **Recommendations** For Apache Tomcat versions 8.5.0 through 8.5.63, consider disabling the use of NIO+OpenSSL or NIO2+OpenSSL for TLS until a patch is available. For Apache Tomcat versions 9.0.0-M1 through 9.0.43, consider disabling the use of NIO+OpenSSL or NIO2+OpenSSL for TLS until a patch is available. For Apache Tomcat versions 10.0.0-M1 through 10.0.2, consider disabling the use of NIO+OpenSSL or NIO2+OpenSSL for TLS until a patch is available. As a temporary workaround, consider restricting access to the TLS configuration to minimize the risk of exploitation.