CVE-2021-30639: DoS after non-blocking IO error
First published: Mon Jul 12 2021(Updated: )
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 | |
| IBM DRM | <=2.0.6 | |
| Apache Tomcat | =8.5.64 | |
| Apache Tomcat | =9.0.44 | |
| Apache Tomcat | =10.0.3 | |
| Apache Tomcat | =10.0.4 | |
| McAfee ePolicy Orchestrator | <5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_10 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_9 | |
| Oracle Big Data Spatial And Graph | <23.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
- https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24
- https://github.com/apache/tomcat/commit/411caf29ac1c16e6ac291b6e5543b2371dbd25e2
- https://security-tracker.debian.org/tracker/CVE-2021-30639
- https://exchange.xforce.ibmcloud.com/vulnerabilities/205212
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/202208-34
- https://security.netapp.com/advisory/ntap-20210827-0007/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E
Frequently Asked Questions
What is CVE-2021-30639?
CVE-2021-30639 is a vulnerability in Apache Tomcat that allows an attacker to remotely trigger a denial of service.
What is the severity of CVE-2021-30639?
The severity of CVE-2021-30639 is high with a CVSS score of 7.5.
How does CVE-2021-30639 affect Apache Tomcat?
CVE-2021-30639 affects Apache Tomcat versions 8.5.64, 9.0.44, 10.0.3, and 10.0.4.
Is there a fix for CVE-2021-30639?
Yes, there are fixes available for CVE-2021-30639. The recommended version is 9.0.31-1~deb10u6, 9.0.31-1~deb10u10, 9.0.43-2~deb11u6, 9.0.43-2~deb11u9, or 9.0.70-2.
Where can I find more information about CVE-2021-30639?
More information about CVE-2021-30639 can be found at the following references: [link1](https://bz.apache.org/bugzilla/show_bug.cgi?id=65203), [link2](https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24), [link3](https://github.com/apache/tomcat/commit/411caf29ac1c16e6ac291b6e5543b2371dbd25e2).
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- package-manager/debian
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/8.5.64
- version/apache tomcat/9.0.44
- version/apache tomcat/10.0.3
- version/apache tomcat/10.0.4
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_10
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- version/mcafee epolicy orchestrator/5.10.0-update_5
- version/mcafee epolicy orchestrator/5.10.0-update_6
- version/mcafee epolicy orchestrator/5.10.0-update_7
- version/mcafee epolicy orchestrator/5.10.0-update_8
- version/mcafee epolicy orchestrator/5.10.0-update_9
- vendor/oracle
- canonical/oracle big data spatial and graph
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6