CVE-2021-43980: Apache Tomcat Information Disclosure Vulnerability

CVE-2021-43980

Tomcat released the latest security bulletin on September 28, which contains an information disclosure vulnerability. Tracked as CVE-2021-43980, the severity is high. The security researcher Adam Thomas, Richard Hernandez, and Ryan Schmitt has been credited with reporting this flaw.

The Tomcat server is a free open-source web application server. It is a lightweight application server. It is widely used in small and medium-sized systems and concurrent access users. It is the first choice for developing and debugging JSP programs.

Vulnerability Detail

CVE-2021-43980 was caused by a long-standing concurrency flaw in the simplified implementation of blocking reads and writes. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain Http11Processor instance information, and use this information to launch further attacks against the affected system.

“The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client,” read the security advisory.

Affected version

  • Apache Tomcat 10.1.0-M1 to 10.1.0-M12
  • Apache Tomcat 10.0.0-M1 to 10.0.18
  • Apache Tomcat 9.0.0-M1 to 9.0.60
  • Apache Tomcat 8.5.0 to 8.5.77

Unaffected version

  • – Upgrade to Apache Tomcat 10.1.0-M14 or later once released
  • – Upgrade to Apache Tomcat 10.0.20 or later once released
  • – Upgrade to Apache Tomcat 9.0.62 or later once released
  • – Upgrade to Apache Tomcat 8.5.78 or later once released
  • – Note 10.1.0-M13, 10.0.19, and 9.0.61 were not released

Solution

Tomcat has fixed the flaw in the latest version, and it is recommended that affected users upgrade the updates as soon as possible.