It has to do with not releasing http websocket connections properly. So its
both. We just had to upgrade to 9.0.53 on everything because of this.
Shawn Beard • Sr. Systems Engineer
Middleware Engineering
[cid:image852868.png@BE68D2F7.0F762FA2]
3840 109th Street , Urbandale , IA 50322
Phone: +1-515-564-2528<tel:+1-515-564-2528>
Email: sbe...@wrberkley.com<mailto:sbe...@wrberkley.com>
Website: https://berkleytechnologyservices.com/
[cid:image544710.jpg@E9DE55D0.0D0A7FFA]
Technology Leadership Unleashing Business Potential
-----Original Message-----
From: James H. H. Lampert <jam...@touchtonecorp.com.INVALID>
Sent: Monday, December 6, 2021 1:29 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: [SECURITY] CVE-2021-42340 Apache Tomcat DoS [EXTERNAL]
** CAUTION: External message
On 10/14/21 7:12 AM, Mark Thomas wrote:
> The fix for bug 63362 introduced a memory leak. The object introduced
> to collect metrics for HTTP upgrade connections was not released for
> WebSocket connections once the WebSocket connection was closed. This
> created a memory leak that, over time, could lead to a denial of
> service via an OutOfMemoryError.
Question:
Is this even an issue if the Tomcat is configured to *only* listen on 443, and
rejects non-HTTPS connections outright?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain
private, privileged and confidential information belonging to the sender. The
information therein is solely for the use of the addressee. If your receipt of
this transmission has occurred as the result of an error, please immediately
notify us so we can arrange for the return of the documents. In such
circumstances, you are advised that you may not disclose, copy, distribute or
take any other action in reliance on the information transmitted.
