[thredds] Fwd: [SECURITY] CVE-2021-30639 Apache Tomcat DoS

• To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
• Subject: [thredds] Fwd: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
• From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
• Date: Mon, 12 Jul 2021 11:18:21 -0600

A few new Tomcat CVEs came out today, 2 of which have a severity of
'important' (including the attached).

Please upgrade your Tomcat installations.



---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Jul 12, 2021 at 7:14 AM
Subject: [SECURITY] CVE-2021-30639 Apache Tomcat DoS
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2021-30639 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64

Description:
An error introduced as part of a change to improve error handling during
non-blocking I/O meant that the error flag associated with the Request
object was not reset between requests. This meant that once a
non-blocking I/O error occurred, all future requests handled by that
request object would fail. Users were able to trigger non-blocking I/O
errors, e.g. by dropping a connection, thereby creating the possibility
of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this
vulnerability.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.5 or later
- Upgrade to Apache Tomcat 9.0.45 or later
- Upgrade to Apache Tomcat 8.5.65 or later

History:
2021-07-12 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html