The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Apache
  • Tomcat
Debian
  • Debian Linux
Redhat
  • Jboss Enterprise Web Server

Configuration 1 [-]

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
JWS 5.7.0
cpe:/a:redhat:jboss_enterprise_web_server:5.7 RHSA-2022:7273 2022-11-02T00:00:00Z
Red Hat JBoss Web Server 5.7 on RHEL 7
jws5-ecj-0:4.20.0-1.redhat_00002.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-0:9.0.62-9.redhat_00005.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-native-0:1.2.31-10.redhat_10.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7 RHSA-2022:7272 2022-11-02T00:00:00Z
Red Hat JBoss Web Server 5.7 on RHEL 8
jws5-ecj-0:4.20.0-1.redhat_00002.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-0:9.0.62-9.redhat_00005.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-native-0:1.2.31-10.redhat_10.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8 RHSA-2022:7272 2022-11-02T00:00:00Z
Red Hat JBoss Web Server 5.7 on RHEL 9
jws5-0:1-8.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-ecj-0:4.20.0-1.redhat_00002.1.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-0:9.0.62-9.redhat_00005.1.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-native-0:1.2.31-10.redhat_10.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el9jws cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9 RHSA-2022:7272 2022-11-02T00:00:00Z
References
Link Providers
http://www.openwall.com/lists/oss-security/2022/09/28/1 cve-icon cve-icon
https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-43980 cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-43980 cve-icon
https://www.debian.org/security/2022/dsa-5265 cve-icon cve-icon
History

Wed, 21 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-09-28T00:00:00.000Z

Updated: 2025-05-21T15:00:10.097Z

Reserved: 2021-11-17T00:00:00.000Z

Link: CVE-2021-43980

cve-icon Vulnrichment

Updated: 2024-08-04T04:10:16.914Z

cve-icon NVD

Status : Modified

Published: 2022-09-28T14:15:09.880

Modified: 2025-05-21T15:15:55.223

Link: CVE-2021-43980

cve-icon Redhat

Severity : Low

Publid Date: 2022-09-28T00:00:00Z

Links: CVE-2021-43980 - Bugzilla