Lucene search
VshanmugamJRASERVER-72609HistoryJul 14, 2021 - 11:35 a.m.
Upgrade the bundled version of Apache Tomcat to 8.5.68 or later
2021-07-1411:35:20
vshanmugam
jira.atlassian.com
28
apache tomcat
upgrade
cve-2021-33037
memory leak
CVSS2
5.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
0.15
Percentile
95.9%
h3. Issue Summary
The recently disclosed vulnerability regarding Apache Tomcat
- [CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037], [CVE-2021-33037|https://nvd.nist.gov/vuln/detail/CVE-2021-33037] (Base Score: 5.3 MEDIUM)
- [CVE-2021-42340|https://vulners.com/cve/CVE-2021-42340] (NVD score not yet provided.)
{quote}The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
{quote}
affects the following versions:
- Apache Tomcat 10.0.0-M1 to 10.0.6
- Apache Tomcat 9.0.0.M1 to 9.0.53
- Apache Tomcat 8.5.60 to 8.5.71
We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
Current bundled version of Tomcat 8.5.68
h3. Steps to Reproduce
- Check the CVE reports:
** [CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037]
h3. Expected Results
- Not applicable.
h3. Actual Results
- Not applicable.
h3. Workaround
- Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].
h3. Note on fix
Jira 8.21.0 is shipped with Apache Tomcat 8.5.72
Affected configurations
Node
atlassianjira_data_centerRange≤8.5.1
ORatlassianjira_data_centerRange≤8.17.1
ORatlassianjira_data_centerRange≤8.5.19
ORatlassianjira_data_centerRange≤8.13.11
ORatlassianjira_data_centerRange≤8.19.1
ORatlassianjira_data_centerRange≤8.20.0
ORatlassianjira_data_centerRange≤8.20.1
ORatlassianjira_data_centerRange≤8.20.2
ORatlassianjira_data_centerRange<8.21.0
ORatlassianjira_data_centerRange<8.13.18
ORatlassianjira_data_centerRange<8.20.6
| Vendor | Product | Version | CPE |
|---|---|---|---|
| atlassian | jira_data_center | * | cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* |
Related
atlassian
atlassian
Upgrade the bundled version of Apache Tomcat to 8.5.68 or later
2021-07-14 11:35:20
gentoo
gentoo
Apache Tomcat: Multiple Vulnerabilities
2022-08-21 00:00:00
osv
osv
tomcat9 vulnerabilities
2022-03-31 18:51:57
tomcat9 - security update
2021-08-09 00:00:00
tomcat8 - security update
2021-08-05 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-5360-1)
2022-04-01 00:00:00
Mageia: Security Advisory (MGASA-2021-0485)
2022-01-28 00:00:00
Debian: Security Advisory (DSA-4891-1)
2021-04-15 00:00:00
ubuntu
ubuntu
Tomcat vulnerabilities
2022-03-31 00:00:00
nessus
nessus
Ubuntu 18.04 LTS / 20.04 LTS : Tomcat vulnerabilities (USN-5360-1)
2022-04-01 00:00:00
GLSA-202208-34 : Apache Tomcat: Multiple Vulnerabilities
2022-08-25 00:00:00
Photon OS 3.0: Apache PHSA-2021-3.0-0327
2024-07-24 00:00:00
mageia
mageia
Updated tomcat packages fix security vulnerability
2021-10-23 13:05:28
Updated tomcat packages fix security vulnerabilities
2021-07-20 13:46:47
Updated tomcat packages fix a security vulnerability
2020-10-30 01:25:06
debian
debian
[SECURITY] [DLA 2733-1] tomcat8 security update
2021-08-05 21:40:35
[SECURITY] [DSA 4952-1] tomcat9 security update
2021-08-09 21:06:14
[SECURITY] [DSA 4891-1] tomcat9 security update
2021-04-13 20:47:05
ibm
ibm
photon
photon
Home
Download Photon OS
User Documentation
FAQ
Security Advisories
Related Information
Lightwave - PHSA-2021-1.0-0372
2021-03-18 00:00:00
Important Photon OS Security Update - PHSA-2021-0208
2021-03-17 00:00:00
Important Photon OS Security Update - PHSA-2021-0372
2021-03-18 00:00:00
kaspersky
kaspersky
KLA12104 Multiple vulnerabilities in Apache Tomcat
2021-02-02 00:00:00
KLA12322 DoS vulnerability in Apache Tomcat
2021-10-06 00:00:00
KLA12085 SUI vulnerability in Apache Tomcat
2020-09-15 00:00:00
suse
suse
Security update for tomcat (moderate)
2021-11-19 00:00:00
Security update for tomcat (important)
2021-04-02 00:00:00
Security update for tomcat (moderate)
2021-11-16 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 9.0.43
2021-02-02 00:00:00
Fixed in Apache Tomcat 10.0.2
2021-02-02 00:00:00
Fixed in Apache Tomcat 8.5.63
2021-02-02 00:00:00
redhat
redhat
(RHSA-2021:4861) Important: Red Hat JBoss Web Server 5.6.0 Security release
2021-11-30 14:19:46
(RHSA-2021:4863) Important: Red Hat JBoss Web Server 5.6.0 Security release
2021-11-30 14:21:16
(RHSA-2021:2562) Moderate: Red Hat JBoss Web Server 5.5.0 security release
2021-06-29 08:35:57
rosalinux
rosalinux
Advisory ROSA-SA-2023-2258
2023-10-21 16:49:43
veracode
veracode
Denial Of Service (DoS)
2021-10-15 08:23:36
Information Disclosure
2020-10-13 04:49:31
HTTP/2 Request Mix-up
2020-10-13 01:45:40
debiancve
debiancve
github
github
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
2022-02-09 23:03:53
Missing Release of Resource after Effective Lifetime in Apache Tomcat
2021-10-15 18:51:34
cisa
cisa
Apache Releases Security Updates for Apache Tomcat
2020-10-14 00:00:00
Apache Releases Security Advisory for Tomcat
2021-10-15 00:00:00
prion
prion
Cross site request forgery (csrf)
2020-10-12 14:15:00
Memory corruption
2021-10-14 20:15:00
ubuntucve
ubuntucve
CVE-2020-13943
2020-10-12 00:00:00
CVE-2021-30640
2021-07-12 00:00:00
cnvd
cnvd
Apache Tomcat Resource Management Error Vulnerability (CNVD-2021-83785)
2021-10-18 00:00:00
nvd
nvd
CVE-2021-42340
2021-10-14 20:15:09
CVE-2020-13943
2020-10-12 14:15:12
cve
cve
redhatcve
redhatcve
f5
f5
K31573032 : Tomcat vulnerability CVE-2020-13943
2020-10-20 00:00:00
K35033051 : Tomcat vulnerability CVE-2021-30640
2021-07-28 00:00:00
cvelist
cvelist
CVE-2020-13943
2020-10-12 13:46:47
CVE-2021-33037 Incorrect Transfer-Encoding handling with HTTP/1.0
2021-07-12 14:55:15
freebsd
freebsd
tomcat -- JNDI Realm Authentication Weakness in multiple versions
2021-04-08 00:00:00
tomcat -- HTTP request smuggling in multiple versions
2021-05-07 00:00:00
amazon
amazon
Important: tomcat8
2021-10-29 16:37:00
CVSS2
5.8
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
0.15
Percentile
95.9%
Related for JRASERVER-72609