CVE-2021-41079 - Denial of Service (DoS)
Severity: High2021-10-18
Abstract
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
The Apache tomcat-coyote package is vulnerable to a Denial of Service (DoS) attack. A remote attacker can exploit this vulnerability by issuing a maliciously crafted packet in order to cause an infinite loop and ultimately a DoS condition.
The Oxygen XML products incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author 23.1 and older | High | Oxygen XML Web
Author 24.0 build 2021101122 Oxygen XML Web Author 23.1 build 2021112409 |
Detail
CVE-2021-41079
Severity: High
CVSS Score: 7.5
The Apache Tomcat third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41079 vulnerability description.
Starting with Oxygen XML Web Author version 24.0, the Apache Tomcat was updated to version 9.0.53, which includes a fix for CVE-2021-41079.