Issue Summary

Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError (Base Score: 7.5 HIGH)

The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The recently disclosed vulnerability regarding Tomcat CVE-2021-42340 affects the following versions:

• Apache Tomcat 8.5.60 to 8.5.71
• Apache Tomcat 9.0.40 to 9.0.53
• Apache Tomcat 10.0.0-M10 to 10.0.11

Mitigation:
Users of the affected versions should apply one of the following mitigations:

• Upgrade to Apache Tomcat 8.5.72 or later
• Upgrade to Apache Tomcat 9.0.54 or later
• Upgrade to Apache Tomcat 10.0.12 or later
• Upgrade to Apache Tomcat 10.1.0-M6 or later

Steps to Reproduce

See more at: https://nvd.nist.gov/vuln/detail/CVE-2021-42340 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340

Expected Results

• Not applicable.

Actual Results

• Not applicable.

Affected Jira versions:
8.15 to 8.19

Workaround

• You can manually upgrade the Apache Tomcat version used by Jira following the procedures outlined in the following article: How to Upgrade Apache Tomcat version in Jira.