CVE-2021-41079 in Tomcatinfo

Summary

by MITRE • 09/16/2021

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/19/2021

Apache Tomcat versions 8.5.0 through 8.5.63, 9.0.0-M1 through 9.0.43, and 10.0.0-M1 through 10.0.2 contained a critical vulnerability in their TLS packet validation mechanism that could be exploited to cause denial of service conditions. This flaw specifically affected configurations utilizing NIO+OpenSSL or NIO2+OpenSSL protocols for secure communications, creating a scenario where maliciously crafted TLS packets could trigger an infinite loop within the server's processing logic. The vulnerability stems from inadequate input validation of TLS handshake packets, particularly when the server processes encrypted traffic through the OpenSSL native library integration. When such malformed packets were received, the Tomcat server would enter an infinite loop during the TLS handshake process, consuming excessive CPU resources and rendering the service unavailable to legitimate clients. This issue represents a classic denial of service vulnerability that can be exploited without authentication, making it particularly dangerous in production environments where service availability is critical. The technical flaw aligns with CWE-835, which describes infinite loops or other forms of unbounded repetition that can lead to resource exhaustion. From an operational perspective, this vulnerability presents a significant risk to web applications relying on Tomcat as their application server, especially in high-traffic scenarios where a single malicious connection could bring down entire services. The exploit requires minimal technical expertise and can be executed through standard network tools, making it a popular target for attackers seeking to disrupt services. Organizations running affected versions of Tomcat should immediately implement mitigations including upgrading to patched versions, implementing network-level protections such as rate limiting and connection filtering, and monitoring for unusual CPU consumption patterns that may indicate exploitation attempts. The ATT&CK framework categorizes this as a denial of service attack vector under the technique of resource exhaustion, where attackers leverage application-level flaws to consume system resources and render services unavailable. Security teams should also consider implementing intrusion detection systems that can identify the specific packet patterns associated with this vulnerability, enabling proactive detection and response to potential exploitation attempts.

Reservation

09/15/2021

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

EPSS

0.06687

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!