CVE-2021-25122: Apache Tomcat h2c request mix-up
First published: Mon Mar 01 2021(Updated: )
A flaw was found in Apache Tomcat. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. The highest threat from this vulnerability is to data confidentiality.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el7 | 0:4.12.0-3.redhat_2.2.el7 |
| redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el7 | 0:9.0.43-11.redhat_00011.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el7 | 0:1.2.26-3.redhat_3.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el7 | 0:1.1.8-2.Final_redhat_00003.1.el7 |
| redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el8 | 0:4.12.0-3.redhat_2.2.el8 |
| redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el8 | 0:9.0.43-11.redhat_00011.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el8 | 0:1.2.26-3.redhat_3.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el8 | 0:1.1.8-2.Final_redhat_00003.1.el8 |
| redhat/tomcat | <10.0.2 | 10.0.2 |
| redhat/tomcat | <9.0.43 | 9.0.43 |
| redhat/tomcat | <8.5.63 | 8.5.63 |
| debian/tomcat9 | 9.0.43-2~deb11u10 9.0.43-2~deb11u11 9.0.70-2 9.0.95-1 | |
| IBM Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
| IBM Rational DOORS Web Access | <=9.7.2.7 | |
| Tomcat | >=8.5.0<=8.5.61 | |
| Tomcat | >=9.0.0<=9.0.41 | |
| Tomcat | =9.0.0-milestone1 | |
| Tomcat | =9.0.0-milestone10 | |
| Tomcat | =9.0.0-milestone11 | |
| Tomcat | =9.0.0-milestone12 | |
| Tomcat | =9.0.0-milestone13 | |
| Tomcat | =9.0.0-milestone14 | |
| Tomcat | =9.0.0-milestone15 | |
| Tomcat | =9.0.0-milestone16 | |
| Tomcat | =9.0.0-milestone17 | |
| Tomcat | =9.0.0-milestone18 | |
| Tomcat | =9.0.0-milestone19 | |
| Tomcat | =9.0.0-milestone2 | |
| Tomcat | =9.0.0-milestone20 | |
| Tomcat | =9.0.0-milestone21 | |
| Tomcat | =9.0.0-milestone22 | |
| Tomcat | =9.0.0-milestone23 | |
| Tomcat | =9.0.0-milestone24 | |
| Tomcat | =9.0.0-milestone25 | |
| Tomcat | =9.0.0-milestone26 | |
| Tomcat | =9.0.0-milestone27 | |
| Tomcat | =9.0.0-milestone3 | |
| Tomcat | =9.0.0-milestone4 | |
| Tomcat | =9.0.0-milestone5 | |
| Tomcat | =10.0.0 | |
| Tomcat | =10.0.0-milestone1 | |
| Tomcat | =10.0.0-milestone10 | |
| Tomcat | =10.0.0-milestone2 | |
| Tomcat | =10.0.0-milestone3 | |
| Tomcat | =10.0.0-milestone4 | |
| Tomcat | =10.0.0-milestone5 | |
| Tomcat | =10.0.0-milestone6 | |
| Tomcat | =10.0.0-milestone7 | |
| Tomcat | =10.0.0-milestone8 | |
| Tomcat | =10.0.0-milestone9 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Oracle Agile Product Lifecycle Management Framework | =9.3.3 | |
| Oracle Agile Product Lifecycle Management Framework | =9.3.6 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.6.0 | |
| Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
| Oracle Database | =12.2.0.1 | |
| Oracle Database | =19c | |
| Oracle Database | =21c | |
| Oracle Client | <21.3.0 | |
| Oracle Client | =21.3.0 | |
| Oracle Instantis EnterpriseTrack | =17.1 | |
| Oracle Instantis EnterpriseTrack | =17.2 | |
| Oracle Instantis EnterpriseTrack | =17.3 | |
| Oracle Managed File Transfer | =12.2.1.3.0 | |
| Oracle Managed File Transfer | =12.2.1.4.0 | |
| MySQL Enterprise Monitor | <=8.0.23 | |
| Oracle Siebel User Interface Framework | <=21.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-25122 https://nvd.nist.gov/vuln/detail/CVE-2021-25122 http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3Cb7626398-5e6d-1639-4e9e-e41b34af84de%40apache.org%3E https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
- https://bugzilla.redhat.com/show_bug.cgi?id=1934032
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2021:2562
- https://access.redhat.com/errata/RHSA-2021:2561
- https://access.redhat.com/errata/RHSA-2021:3425
- https://access.redhat.com/security/cve/cve-2021-25122
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/03/01/1
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
- https://security.netapp.com/advisory/ntap-20210409-0002/
- https://www.debian.org/security/2021/dsa-4891
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.gentoo.org/glsa/202208-34
- https://launchpad.net/bugs/cve/CVE-2021-25122
- https://github.com/apache/tomcat/commit/dd757c0a893e2e35f8bc1385d6967221ae8b9b9b
- https://github.com/apache/tomcat/commit/d47c20a776e8919eaca8da9390a32bc8bf8210b1
- https://github.com/apache/tomcat/commit/bb0e7c1e0d737a0de7d794572517bce0e91d30fa
- http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3Cb7626398-5e6d-1639-4e9e-e41b34af84de%40apache.org%3E
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://exchange.xforce.ibmcloud.com/vulnerabilities/197517
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
- https://www.openwall.com/lists/oss-security/2021/03/01/1
- https://security-tracker.debian.org/tracker/CVE-2021-25122
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122
- https://nvd.nist.gov/vuln/detail/CVE-2021-25122
- https://ubuntu.com/security/CVE-2021-25122
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-25122?
The severity of CVE-2021-25122 is high.
Which versions of Apache Tomcat are affected by CVE-2021-25122?
Apache Tomcat versions 10.0.0-M1 to 10.0.0 and 9.0.0.M1 to 9.0.43 are affected by CVE-2021-25122.
How does CVE-2021-25122 affect Apache Tomcat?
CVE-2021-25122 allows user A and user B to see the results of user A's request due to duplicate request headers and a limited amount of request body.
What is the remedy for CVE-2021-25122 in Apache Tomcat 10.0.2?
The remedy for CVE-2021-25122 in Apache Tomcat 10.0.2 is to update to version 10.0.3.
Where can I find more information about CVE-2021-25122?
You can find more information about CVE-2021-25122 at the following references: [link1], [link2], [link3].
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/title
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-25122
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm engineering requirements management doors web access
- version/ibm engineering requirements management doors web access/9.7.2.7
- canonical/ibm rational doors web access
- version/ibm rational doors web access/9.7.2.7
- vendor/apache
- canonical/tomcat
- version/tomcat/8.5.0
- version/tomcat/8.5.61
- version/tomcat/9.0.0
- version/tomcat/9.0.41
- version/tomcat/9.0.0-milestone1
- version/tomcat/9.0.0-milestone10
- version/tomcat/9.0.0-milestone11
- version/tomcat/9.0.0-milestone12
- version/tomcat/9.0.0-milestone13
- version/tomcat/9.0.0-milestone14
- version/tomcat/9.0.0-milestone15
- version/tomcat/9.0.0-milestone16
- version/tomcat/9.0.0-milestone17
- version/tomcat/9.0.0-milestone18
- version/tomcat/9.0.0-milestone19
- version/tomcat/9.0.0-milestone2
- version/tomcat/9.0.0-milestone20
- version/tomcat/9.0.0-milestone21
- version/tomcat/9.0.0-milestone22
- version/tomcat/9.0.0-milestone23
- version/tomcat/9.0.0-milestone24
- version/tomcat/9.0.0-milestone25
- version/tomcat/9.0.0-milestone26
- version/tomcat/9.0.0-milestone27
- version/tomcat/9.0.0-milestone3
- version/tomcat/9.0.0-milestone4
- version/tomcat/9.0.0-milestone5
- version/tomcat/10.0.0
- version/tomcat/10.0.0-milestone1
- version/tomcat/10.0.0-milestone10
- version/tomcat/10.0.0-milestone2
- version/tomcat/10.0.0-milestone3
- version/tomcat/10.0.0-milestone4
- version/tomcat/10.0.0-milestone5
- version/tomcat/10.0.0-milestone6
- version/tomcat/10.0.0-milestone7
- version/tomcat/10.0.0-milestone8
- version/tomcat/10.0.0-milestone9
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0
- vendor/oracle
- canonical/oracle agile product lifecycle management framework
- version/oracle agile product lifecycle management framework/9.3.3
- version/oracle agile product lifecycle management framework/9.3.6
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.6.0
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.5.0
- canonical/oracle database
- version/oracle database/12.2.0.1
- version/oracle database/19c
- version/oracle database/21c
- canonical/oracle client
- version/oracle client/21.3.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle managed file transfer
- version/oracle managed file transfer/12.2.1.3.0
- version/oracle managed file transfer/12.2.1.4.0
- canonical/mysql enterprise monitor
- version/mysql enterprise monitor/8.0.23
- canonical/oracle siebel user interface framework
- version/oracle siebel user interface framework/21.9