CVE-2021-41079 - Denial of Service (DoS)

Severity: High2021-10-18

Security Advisories


Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

The Apache tomcat-coyote package is vulnerable to a Denial of Service (DoS) attack. A remote attacker can exploit this vulnerability by issuing a maliciously crafted packet in order to cause an infinite loop and ultimately a DoS condition.

The Oxygen XML products incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author 23.1 and olderHigh Oxygen XML Web Author 24.0 build 2021101122
Oxygen XML Web Author 23.1 build 2021112409





Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-41079 vulnerability description.

Starting with Oxygen XML Web Author version 24.0, the Apache Tomcat was updated to version 9.0.53, which includes a fix for CVE-2021-41079.

Revision History

2021-12-06 Starting with Oxygen Web Author version 23.1 build 2021112409, the Apache Tomcat was updated to version 9.0.55, which includes a fix for CVE-2021-41079.

List of Security Advisories