Login Sign Up

CVE-2021-41079

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Apache Tomcat allows denial of service attacks when using specific TLS configurations. Attackers can send specially crafted TLS packets to trigger an infinite loop, causing Tomcat to become unresponsive. Affected systems include Tomcat 8.5.0-8.5.63, 9.0.0-M1-9.0.43, and 10.0.0-M1-10.0.2 configured with NIO+OpenSSL or NIO2+OpenSSL.

💻 Affected Systems

Products:
  • Apache Tomcat
Versions: 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43, 10.0.0-M1 to 10.0.2
Operating Systems: All operating systems running affected Tomcat versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS connections. Default configurations may not be affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Management Services For Element Software And Netapp Hci by Netapp

View all CVEs affecting Management Services For Element Software And Netapp Hci →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing Tomcat to become completely unresponsive, requiring manual restart and potentially disrupting critical web applications.

🟠

Likely Case

Service disruption and downtime for web applications hosted on vulnerable Tomcat instances, leading to business impact and potential revenue loss.

🟢

If Mitigated

Minimal impact if systems are patched or using unaffected TLS configurations, with normal service availability maintained.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to Tomcat's TLS port and knowledge of the specific TLS configuration in use.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.64, 9.0.44, 10.0.3

Vendor Advisory: https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E

Restart Required: Yes

Instructions:

1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.

🔧 Temporary Workarounds

Change TLS Connector Configuration

all

Switch from NIO+OpenSSL or NIO2+OpenSSL to a different connector type like APR/native or JSSE.

Edit server.xml and change connector protocol attribute from 'org.apache.coyote.http11.Http11NioProtocol' or similar to 'org.apache.coyote.http11.Http11AprProtocol' or use default JSSE

Network Segmentation

linux

Restrict access to Tomcat TLS ports to trusted networks only.

iptables -A INPUT -p tcp --dport 8443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP

🧯 If You Can't Patch

  • Implement network-based IPS/IDS rules to detect and block malformed TLS packets
  • Use load balancers or WAFs to filter traffic before reaching Tomcat instances

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and connector configuration in server.xml for NIO+OpenSSL or NIO2+OpenSSL usage

Check Version:

java -cp catalina.jar org.apache.catalina.util.ServerInfo

Verify Fix Applied:

Verify Tomcat version is 8.5.64+, 9.0.44+, or 10.0.3+ and test TLS connectivity remains functional

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Thread pool exhaustion messages
  • Connection timeouts in access logs

Network Indicators:

  • Unusual TLS handshake patterns
  • Repeated malformed packet attempts to port 8443/443

SIEM Query:

source="tomcat" AND ("CPU" OR "thread" OR "timeout") AND severity>=WARNING

📊 Metadata

CVE ID: CVE-2021-41079
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20
Published: September 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41079, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)