Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
The product does not properly “clean up” and remove temporary or supporting resources after they have been used.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | RedHat | tomcat-1:9.0.87-1.el8_10.1 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | tomcat-1:9.0.87-1.el8_8.2 | * |
| Red Hat Enterprise Linux 9 | RedHat | tomcat-1:9.0.87-1.el9_4.1 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | tomcat-1:9.0.87-1.el9_2.1 | * |
| Red Hat JBoss Web Server 5 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 5.8 on RHEL 7 | RedHat | jws5-tomcat-0:9.0.87-3.redhat_00003.1.el7jws | * |
| Red Hat JBoss Web Server 5.8 on RHEL 8 | RedHat | jws5-tomcat-0:9.0.87-3.redhat_00003.1.el8jws | * |
| Red Hat JBoss Web Server 5.8 on RHEL 9 | RedHat | jws5-tomcat-0:9.0.87-3.redhat_00003.1.el9jws | * |
| Red Hat JBoss Web Server 6 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 6.0 on RHEL 8 | RedHat | jws6-tomcat-0:10.1.8-7.redhat_00014.1.el8jws | * |
| Red Hat JBoss Web Server 6.0 on RHEL 9 | RedHat | jws6-tomcat-0:10.1.8-7.redhat_00014.1.el9jws | * |
| Tomcat10 | Ubuntu | mantic | * |
| Tomcat6 | Ubuntu | trusty/esm | * |
| Tomcat7 | Ubuntu | trusty/esm | * |
| Tomcat9 | Ubuntu | esm-apps/bionic | * |
| Tomcat9 | Ubuntu | esm-apps/jammy | * |
| Tomcat9 | Ubuntu | focal | * |
| Tomcat9 | Ubuntu | mantic | * |