Cyber Resilience

CVE-2021-42340

High

Published: 14 October 2021

Published
14 October 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0428 89.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-42340 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for…

more

WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
10.0.0, 10.1.0 · 8.5.60 — 8.5.72 · 9.0.40 — 9.0.54 · 10.0.1 — 10.0.12
netapp
hci
all versions
netapp
management services for element software
all versions
debian
debian linux
11.0
oracle
agile engineering data management
6.2.1.0
oracle
big data spatial and graph
≤ 23.1
oracle
communications diameter signaling router
8.0.0.0 — 8.5.0.2
oracle
hospitality cruise shipboard property management system
20.1.0
oracle
managed file transfer
12.2.1.3.0, 12.2.1.4.0
oracle
middleware common libraries and tools
12.2.1.4.0
+8 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-772

Ensures network resources are released once the session ends or becomes inactive, closing the window for missing-release weaknesses.

References