Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
| Link | Tags |
|---|---|
| https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E | mailing list vendor advisory |
| https://lists.debian.org/debian-lts-announce/2021/09/msg00012.html | third party advisory mailing list |
| https://security.netapp.com/advisory/ntap-20211008-0005/ | third party advisory |
| https://lists.apache.org/thread.html/rb4de81ac647043541a32881099aa6eb5a23f1b7fd116f713f8ab9dbe%40%3Cdev.tomcat.apache.org%3E | mailing list |
| https://lists.apache.org/thread.html/r6b6b674e3f168dd010e67dbe6848b866e2acf26371452fdae313b98a%40%3Cusers.tomcat.apache.org%3E | mailing list |
| https://www.debian.org/security/2021/dsa-4986 | third party advisory vendor advisory |