A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

The version of Tomcat installed on the remote host is prior to 8.5.65. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.65_security-8 advisory.

  - A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error     introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag     associated with the Request object was not reset between requests. This meant that once a non-blocking I/O     error occurred, all future requests handled by that request object would fail. Users were able to trigger     non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a     DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue     affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.45. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.45_security-9 advisory.

  - A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error     introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag     associated with the Request object was not reset between requests. This meant that once a non-blocking I/O     error occurred, all future requests handled by that request object would fail. Users were able to trigger     non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a     DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue     affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-34 (Apache Tomcat: Multiple Vulnerabilities)

  - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to     9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one     request to another meaning user A and user B could both see the results of user A's request.
    (CVE-2021-25122)

  - The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to     9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be     used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published     prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to     this issue. (CVE-2021-25329)

  - A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error     introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag     associated with the Request object was not reset between requests. This meant that once a non-blocking I/O     error occurred, all future requests handled by that request object would fail. Users were able to trigger     non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a     DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue     affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to     9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP     upgrade connections was not released for WebSocket connections once the connection was closed. This     created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

  - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the     Form authentication example in the examples web application displayed user provided data without     filtering, exposing a XSS vulnerability. (CVE-2022-34305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

rbeaudry reports :

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.

Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4;
9.0.44; 8.5.64.

The version of Apache Tomcat installed on the remote host is 10.0.3 to 10.0.4, 9.0.44 or 8.5.64. It is, therefore, affected by a denial of service due to an error introduced as part of a change to improve error handling during non-blocking I/O.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.0.5. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.5_security-10 advisory.

  - A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error     introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag     associated with the Request object was not reset between requests. This meant that once a non-blocking I/O     error occurred, all future requests handled by that request object would fail. Users were able to trigger     non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a     DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue     affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
197845	Apache Tomcat 8.5.0 < 8.5.65	Nessus	Web Servers	high
197840	Apache Tomcat 9.0.0 < 9.0.45	Nessus	Web Servers	high
164434	GLSA-202208-34 : Apache Tomcat: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
152206	FreeBSD : tomcat -- Remote Denial of Service in multiple versions (cc7c85d9-f30a-11eb-b12b-fc4dd43e2b6a)	Nessus	FreeBSD Local Security Checks	high
112905	Apache Tomcat 8.5.64 Denial of Service	Web App Scanning	Component Vulnerability	high
112904	Apache Tomcat 9.0.44 Denial of Service	Web App Scanning	Component Vulnerability	high
112903	Apache Tomcat 10.0.3 < 10.0.5 Denial of Service	Web App Scanning	Component Vulnerability	high
151504	Apache Tomcat 10.0.3 < 10.0.5	Nessus	Web Servers	high

Detections

Analytics

CVE-2021-30639

high

Tenable Plugins

high

high

high

high

high

high

high

high