-
Bug
-
Resolution: Fixed
-
Medium
-
8.5.1, 8.17.1, 8.5.19, 8.13.11, 8.19.1, 8.20.0, 8.20.1, 8.20.2
-
8.05
-
24
-
Severity 3 - Minor
-
47
-
Issue Summary
The recently disclosed vulnerability regarding Apache Tomcat
- CVE-2021-33037, CVE-2021-33037 (Base Score: 5.3 MEDIUM)
- CVE-2021-42340 (NVD score not yet provided.)
The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
affects the following versions:
- Apache Tomcat 10.0.0-M1 to 10.0.6
- Apache Tomcat 9.0.0.M1 to 9.0.53
- Apache Tomcat 8.5.60 to 8.5.71
We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
Current bundled version of Tomcat 8.5.68
Steps to Reproduce
- Check the CVE reports:
Expected Results
- Not applicable.
Actual Results
- Not applicable.
Workaround
- Manually upgrade Tomcat according to our documentation.
Note on fix
Jira 8.21.0 is shipped with Apache Tomcat 8.5.72
- is related to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
JRASERVER-72346 Jira Server and Data Center affected by Tomcat CVE-2021-25329 and CVE-2021-25122
-
- Published
-
-
-
- Published
-
-
JSEC-1076 Loading...
-
-
- mentioned in
-
- relates to
-