CVE-2021-42340 : What You Need to Know
Learn about CVE-2021-42340, a vulnerability in Apache Tomcat versions 8.5.60 to 8.5.71, 9.0.40 to 9.0.53, 10.0.0-M10 to 10.0.11, and 10.1.0-M1 to 10.1.0-M5 potentially leading to a denial of service.
This CVE pertains to a memory leak issue introduced in Apache Tomcat versions 8.5.60 to 8.5.71, 9.0.40 to 9.0.53, 10.0.0-M10 to 10.0.11, and 10.1.0-M1 to 10.1.0-M5, potentially leading to a denial of service via an OutOfMemoryError.
Understanding CVE-2021-42340
What is CVE-2021-42340?
CVE-2021-42340 addresses a memory leak caused by a fix in Apache Tomcat versions, impacting WebSocket connections and posing a risk of denial of service.
The Impact of CVE-2021-42340
The vulnerability could trigger a denial of service condition over time by leading to memory leaks through WebSocket connections.
Technical Details of CVE-2021-42340
Vulnerability Description
The issue originated from a bug fix that failed to release an object collecting metrics for HTTP upgrade connections in WebSocket scenarios, causing memory leaks.
Affected Systems and Versions
- Apache Tomcat 8.5.60 to 8.5.71
- Apache Tomcat 9.0.40 to 9.0.53
- Apache Tomcat 10.0.0-M10 to 10.0.11
- Apache Tomcat 10.1.0-M1 to 10.1.0-M5
Exploitation Mechanism
Exploitation involves WebSocket connections not releasing resources properly, leading to memory leaks culminating in a denial of service possibility.
Mitigation and Prevention
Immediate Steps to Take
- Users should upgrade to a patched version provided by Apache Software Foundation.
- Monitor system memory usage regularly to detect early signs of a memory leak.
Long-Term Security Practices
- Implement proper resource release mechanisms within applications using WebSocket connections.
- Stay updated on security advisories and promptly apply patches.
Patching and Updates
Apply the latest patches and updates released by Apache Software Foundation to mitigate the risk of memory leaks via WebSocket connections.