CVE-2021-42340 - Denial of Service (DoS)

Severity: High2021-12-06

Security Advisories


The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback 1.4.3 and olderHigh Oxygen Feedback 1.4.4 build 2021062217
Oxygen XML Web Author 23.1 and olderHigh Oxygen XML Web Author 23.1 build 2021112409





Severity: high

CVSS Score: 7.5

The Apache Tomcat 9.0.52 third-party library used by Oxygen Feedback products is an affected version mentioned in CVE-2021-42340 vulnerability description.

Starting with Oxygen Feedback version 1.4.4, the Apache Tomcat was updated to version 9.0.54, which includes a fix for CVE-2021-42340.

Starting with Oxygen XML Web Author version 23.1 build 2021112409, the Apache Tomcat was updated to version 9.0.55, which includes a fix for CVE-2021-42340.

List of Security Advisories