Loop with Unreachable Exit Condition ('Infinite Loop') Affecting tomcat-jsp-2_3-api package, versions <9.0.36-3.84.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES150-TOMCATJSP23API-2655105
- published 14 Apr 2022
- disclosed 16 Nov 2021
Introduced: 16 Nov 2021
CVE-2021-41079 Open this link in a new tabHow to fix?
Upgrade SLES:15.0
tomcat-jsp-2_3-api
to version 9.0.36-3.84.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tomcat-jsp-2_3-api
package and not the tomcat-jsp-2_3-api
package as distributed by SLES
.
See How to fix?
for SLES:15.0
relevant fixed versions and status.
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
References
- https://www.suse.com/security/cve/CVE-2021-41079.html
- https://lists.suse.com/pipermail/sle-security-updates/2021-November/009730.html
- https://www.suse.com/support/update/announcement/2021/suse-su-20213670-1/
- https://bugzilla.suse.com/1188278
- https://bugzilla.suse.com/1188279
- https://bugzilla.suse.com/1190558
- https://www.suse.com/security/cve/CVE-2021-30640/
- https://www.suse.com/security/cve/CVE-2021-33037/
- https://www.suse.com/security/cve/CVE-2021-41079/
- https://www.suse.com/support/security/rating/
- https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/09/msg00012.html
- https://security.netapp.com/advisory/ntap-20211008-0005/
- https://lists.apache.org/thread.html/r6b6b674e3f168dd010e67dbe6848b866e2acf26371452fdae313b98a@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb4de81ac647043541a32881099aa6eb5a23f1b7fd116f713f8ab9dbe@%3Cdev.tomcat.apache.org%3E
- https://www.debian.org/security/2021/dsa-4986
- https://lists.apache.org/thread.html/r6b6b674e3f168dd010e67dbe6848b866e2acf26371452fdae313b98a%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb4de81ac647043541a32881099aa6eb5a23f1b7fd116f713f8ab9dbe%40%3Cdev.tomcat.apache.org%3E