CVE-2021-42340: Apache Tomcat DoS Vulnerability Alert

Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. Tomcat provides a “pure Java” HTTP web server environment in which Java code can run. On October 14, 2021, Apache officially released a risk notice for the Apache Tomcat denial of service vulnerability, the vulnerability number is CVE-2021-42340, the vulnerability severity is important. Denial of service attacks can destroy the availability of Tomcat services, and vulnerability is more harmful.
Apache Tomcat 8

Vulnerability Detail

A memory leak was introduced due to the fix to the historical bug 63362. When the Tomcat WebSocket connection is closed, the object used to collect HTTP upgrade connection indicators is not released, which causes a memory leak, so the attacker can cause a denial of service through OutOfMemoryError.

Affected version

  • Apache Tomcat 10.1.0-M1 to 10.1.0-M5
  • Apache Tomcat 10.0.0-M10 to 10.0.11
  • Apache Tomcat 9.0.40 to 9.0.53
  • Apache Tomcat 8.5.60 to 8.5.71

Unaffected version

  • Apache Tomcat 10.1.0-M6 or later
  • Apache Tomcat 10.0.12 or later
  • Apache Tomcat 9.0.54 or later
  • Apache Tomcat 8.5.72 or later


In this regard, we recommend that users upgrade Apache Tomcat to the latest version in time.