CVE-2021-30639

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.64 Apache Tomcat versions 9.0.44 Apache Tomcat versions 10.0.3 through 10.0.4

Description A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. The issue is related to an error introduced as part of a change to improve error handling during non-blocking I/O, which meant that the error flag associated with the Request object was not reset between requests. This allows users to trigger non-blocking I/O errors, for example by dropping a connection, thereby creating the possibility of triggering a denial of service. Applications that do not use non-blocking I/O are not exposed to this vulnerability.

Recommendations For Apache Tomcat version 8.5.64, update to a version that includes the fix for this issue. For Apache Tomcat version 9.0.44, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.0.3 through 10.0.4, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling non-blocking I/O to prevent the exploitation of this issue until a patch is available.