CVE-2021-42340 - Denial of Service (DoS)

Severity: High2021-12-06

Security Advisories

Abstract

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback 1.4.3 and olderHigh Oxygen Feedback 1.4.4 build 2021062217
Oxygen XML Web Author 23.1 and olderHigh Oxygen XML Web Author 23.1 build 2021112409

Mitigation

None

Detail

CVE-2021-42340

Severity: high

CVSS Score: 7.5

The Apache Tomcat 9.0.52 third-party library used by Oxygen Feedback products is an affected version mentioned in CVE-2021-42340 vulnerability description.

Starting with Oxygen Feedback version 1.4.4, the Apache Tomcat was updated to version 9.0.54, which includes a fix for CVE-2021-42340.

Starting with Oxygen XML Web Author version 23.1 build 2021112409, the Apache Tomcat was updated to version 9.0.55, which includes a fix for CVE-2021-42340.

List of Security Advisories