[thredds] Fwd: [SECURITY] CVE-2021-41079 Apache Tomcat DoS

• To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
• Subject: [thredds] Fwd: [SECURITY] CVE-2021-41079 Apache Tomcat DoS
• From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
• Date: Wed, 15 Sep 2021 12:12:54 -0600

If you are using the NIO or NIO connectors in Tomcat, please upgrade at
your earliest convenience.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Sep 15, 2021 at 11:53 AM
Subject: [SECURITY] CVE-2021-41079 Apache Tomcat DoS
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2021-41079 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.2
Apache Tomcat 9.0.0-M1 to 9.0.43
Apache Tomcat 8.5.0 to 8.5.63

Description:
When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a
specially crafted packet could be used to trigger an infinite loop
resulting in a denial of service.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.4 or later
- Upgrade to Apache Tomcat 9.0.44 or later
- Upgrade to Apache Tomcat 8.5.64 or later

Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote
for the 10.0.3 release candidate did not pass. Therefore, although users
must download 10.0.4 to obtain a version that includes a fix for this
issue, version 10.0.3 is not included in the list of affected versions.

Credit:
The Apache Tomcat Security Team would like to thank:
- Thomas Wozenilek for originally reporting this issue
- David Frankson of Infinite Campus for providing a test case that
   reproduced the issue.

History:
2021-09-15 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html