CVE-2021-42340

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.60 through 8.5.71 Apache Tomcat versions 9.0.40 through 9.0.53 Apache Tomcat versions 10.0.0-M1 through 10.0.11 Apache Tomcat versions 10.1.0-M1 through 10.1.0-M5

Description The issue is related to a memory leak in Apache Tomcat. This memory leak was introduced by the fix for bug 63362 and occurs because the object used to collect metrics for HTTP upgrade connections is not released for WebSocket connections once the connection is closed. Over time, this can lead to a denial of service via an OutOfMemoryError.

Recommendations For Apache Tomcat versions 8.5.60 through 8.5.71, update to a version that includes the fix for the memory leak. For Apache Tomcat versions 9.0.40 through 9.0.53, update to a version that includes the fix for the memory leak. For Apache Tomcat versions 10.0.0-M1 through 10.0.11, update to a version that includes the fix for the memory leak. For Apache Tomcat versions 10.1.0-M1 through 10.1.0-M5, update to a version that includes the fix for the memory leak. As a temporary workaround, consider restricting the use of WebSocket connections to minimize the risk of exploitation.