<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-41079: Apache Tomcat DoS with unexpected TLS packet
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mark Thomas <markt () apache org>
Date: Wed, 15 Sep 2021 18:57:33 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Severity: high
Description:
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to
10.0.2 did not properly validate incoming TLS packets. When Tomcat was
configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
Credit:
The Apache Tomcat security team would like to thank Thomas Wozenilek for
originally reporting this issue and David Frankson of Infinite Campus
for also providing a test case that reproduced the issue.
References:
https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-41079: Apache Tomcat DoS with unexpected TLS packet Mark Thomas (Sep 15)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->