CVE-2021-42340

HIGH

Apache Tomcat 8.5.60-8.5.71, 9.0.40-9.0.53, 10.0.0-M1-10.0.11, 10.1.0-M1-10.1.0-M5 Memory Leak via WebSocket

Title source: llm
STIX 2.1

Description

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5009
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211104-0001/
Third Party Advisory x_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10379
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202208-34

Scores

CVSS v3 7.5
EPSS 0.1100
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-772
Status published
Products (32)
apache/tomcat 10.0.0 milestone10
apache/tomcat 10.1.0 milestone1 (5 CPE variants)
apache/tomcat 8.5.60 - 8.5.72
debian/debian_linux 11.0
netapp/hci
netapp/management_services_for_element_software
oracle/agile_engineering_data_management 6.2.1.0
oracle/big_data_spatial_and_graph < 23.1
oracle/communications_diameter_signaling_router 8.0.0.0 - 8.5.0.2
oracle/hospitality_cruise_shipboard_property_management_system 20.1.0
... and 22 more
Published Oct 14, 2021
Tracked Since Feb 18, 2026