CVE-2021-30639

Name	CVE-2021-30639
Description	A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tomcat9 (PTS)	buster	9.0.31-1~deb10u6	fixed
	buster (security)	9.0.31-1~deb10u12	fixed
	bullseye	9.0.43-2~deb11u9	fixed
	bullseye (security)	9.0.43-2~deb11u10	fixed
	sid, trixie, bookworm	9.0.70-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
tomcat8	source	stretch	(not affected)
tomcat8	source	(unstable)	(unfixed)
tomcat9	source	(unstable)	(not affected)

Notes

- tomcat9 <not-affected> (Vulnerable code introduced later in 9.0.44)
[stretch] - tomcat8 <not-affected> (Vulnerable code was introduced later)
https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24 (9.0.45)
https://github.com/apache/tomcat/commit/411caf29ac1c16e6ac291b6e5543b2371dbd25e2 (8.5.65)