Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Weakness
The product does not release or incorrectly releases a resource before it is made available for re-use.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tomcat | Apache | 9.0.1 (including) | 9.0.108 (excluding) |
| Tomcat | Apache | 10.0.0 (including) | 10.1.44 (excluding) |
| Tomcat | Apache | 11.0.0 (including) | 11.0.10 (excluding) |
| Tomcat | Apache | 9.0.0-milestone1 (including) | 9.0.0-milestone1 (including) |
| Tomcat | Apache | 9.0.0-milestone10 (including) | 9.0.0-milestone10 (including) |
| Tomcat | Apache | 9.0.0-milestone11 (including) | 9.0.0-milestone11 (including) |
| Tomcat | Apache | 9.0.0-milestone12 (including) | 9.0.0-milestone12 (including) |
| Tomcat | Apache | 9.0.0-milestone13 (including) | 9.0.0-milestone13 (including) |
| Tomcat | Apache | 9.0.0-milestone14 (including) | 9.0.0-milestone14 (including) |
| Tomcat | Apache | 9.0.0-milestone15 (including) | 9.0.0-milestone15 (including) |
| Tomcat | Apache | 9.0.0-milestone16 (including) | 9.0.0-milestone16 (including) |
| Tomcat | Apache | 9.0.0-milestone17 (including) | 9.0.0-milestone17 (including) |
| Tomcat | Apache | 9.0.0-milestone18 (including) | 9.0.0-milestone18 (including) |
| Tomcat | Apache | 9.0.0-milestone19 (including) | 9.0.0-milestone19 (including) |
| Tomcat | Apache | 9.0.0-milestone2 (including) | 9.0.0-milestone2 (including) |
| Tomcat | Apache | 9.0.0-milestone20 (including) | 9.0.0-milestone20 (including) |
| Tomcat | Apache | 9.0.0-milestone21 (including) | 9.0.0-milestone21 (including) |
| Tomcat | Apache | 9.0.0-milestone22 (including) | 9.0.0-milestone22 (including) |
| Tomcat | Apache | 9.0.0-milestone23 (including) | 9.0.0-milestone23 (including) |
| Tomcat | Apache | 9.0.0-milestone24 (including) | 9.0.0-milestone24 (including) |
| Tomcat | Apache | 9.0.0-milestone25 (including) | 9.0.0-milestone25 (including) |
| Tomcat | Apache | 9.0.0-milestone26 (including) | 9.0.0-milestone26 (including) |
| Tomcat | Apache | 9.0.0-milestone27 (including) | 9.0.0-milestone27 (including) |
| Tomcat | Apache | 9.0.0-milestone3 (including) | 9.0.0-milestone3 (including) |
| Tomcat | Apache | 9.0.0-milestone4 (including) | 9.0.0-milestone4 (including) |
| Tomcat | Apache | 9.0.0-milestone5 (including) | 9.0.0-milestone5 (including) |
| Tomcat | Apache | 9.0.0-milestone6 (including) | 9.0.0-milestone6 (including) |
| Tomcat | Apache | 9.0.0-milestone7 (including) | 9.0.0-milestone7 (including) |
| Tomcat | Apache | 9.0.0-milestone8 (including) | 9.0.0-milestone8 (including) |
| Tomcat | Apache | 9.0.0-milestone9 (including) | 9.0.0-milestone9 (including) |
| Red Hat Enterprise Linux 10 | RedHat | tomcat9-1:9.0.87-5.el10_0.3 | * |
| Red Hat Enterprise Linux 10 | RedHat | tomcat-1:10.1.36-1.el10_0.2 | * |
| Red Hat Enterprise Linux 8 | RedHat | tomcat-1:9.0.87-1.el8_10.6 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | tomcat-1:9.0.87-1.el8_8.7 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | tomcat-1:9.0.87-1.el8_8.7 | * |
| Red Hat Enterprise Linux 9 | RedHat | tomcat-1:9.0.87-3.el9_6.3 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | tomcat-1:9.0.87-1.el9_2.6 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | tomcat-1:9.0.87-1.el9_4.6 | * |
| Red Hat JBoss Web Server 5.8.6 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 5.8 on RHEL 7 | RedHat | jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws | * |
| Red Hat JBoss Web Server 5.8 on RHEL 8 | RedHat | jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws | * |
| Red Hat JBoss Web Server 5.8 on RHEL 9 | RedHat | jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws | * |
| Red Hat JBoss Web Server 6.1.2 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 6.1 on RHEL 10 | RedHat | jws6-tomcat-0:10.1.36-8.redhat_00009.1.el10jws | * |
| Red Hat JBoss Web Server 6.1 on RHEL 8 | RedHat | jws6-tomcat-0:10.1.36-8.redhat_00009.1.el8jws | * |
| Red Hat JBoss Web Server 6.1 on RHEL 9 | RedHat | jws6-tomcat-0:10.1.36-8.redhat_00009.1.el9jws | * |
| Tomcat10 | Ubuntu | devel | * |
| Tomcat10 | Ubuntu | esm-apps/noble | * |
| Tomcat10 | Ubuntu | noble | * |
| Tomcat10 | Ubuntu | plucky | * |
| Tomcat10 | Ubuntu | questing | * |
| Tomcat10 | Ubuntu | upstream | * |
| Tomcat11 | Ubuntu | devel | * |
| Tomcat11 | Ubuntu | questing | * |
| Tomcat11 | Ubuntu | upstream | * |
| Tomcat9 | Ubuntu | esm-apps/bionic | * |
| Tomcat9 | Ubuntu | esm-apps/focal | * |
| Tomcat9 | Ubuntu | esm-apps/jammy | * |
| Tomcat9 | Ubuntu | jammy | * |
| Tomcat9 | Ubuntu | upstream | * |
Potential Mitigations
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/125.html
- https://cwe.mitre.org/data/definitions/130.html
- https://cwe.mitre.org/data/definitions/131.html
- https://cwe.mitre.org/data/definitions/494.html
- https://cwe.mitre.org/data/definitions/495.html
- https://cwe.mitre.org/data/definitions/496.html
- https://cwe.mitre.org/data/definitions/666.html