PT-2021-7027 · Apache+5 · Apache Tomcat+5
David Frankson
+1
·
Published
2021-03-10
·
Updated
2026-03-26
·
CVE-2021-41079
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 8.5.0 through 8.5.63
Apache Tomcat versions 9.0.0-M1 through 9.0.43
Apache Tomcat versions 10.0.0-M1 through 10.0.2
Description
The issue arises from insufficient validation of incoming TLS packets. When configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can trigger an infinite loop, resulting in a denial of service. This can be exploited by a remote attacker to cause a denial of service using a specially crafted packet.
Recommendations
For Apache Tomcat versions 8.5.0 through 8.5.63, consider disabling the use of NIO+OpenSSL or NIO2+OpenSSL for TLS until a patch is available.
For Apache Tomcat versions 9.0.0-M1 through 9.0.43, consider disabling the use of NIO+OpenSSL or NIO2+OpenSSL for TLS until a patch is available.
For Apache Tomcat versions 10.0.0-M1 through 10.0.2, consider disabling the use of NIO+OpenSSL or NIO2+OpenSSL for TLS until a patch is available.
As a temporary workaround, consider restricting access to the TLS configuration to minimize the risk of exploitation.
Exploit
Fix
DoS
Infinite Loop
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Apache Tomcat
Astra Linux
Linuxmint
Suse
Ubuntu