Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Oct 2021 15:27:04 +0100
From: Mark Thomas <>
Subject: CVE-2021-42340: Apache Tomcat: DoS via memory leak with WebSocket

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 
10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a 
memory leak. The object introduced to collect metrics for HTTP upgrade 
connections was not released for WebSocket connections once the 
connection was closed. This created a memory leak that, over time, could 
lead to a denial of service via an OutOfMemoryError.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.