Service Notices

All Notices > Security Notices > Apache Tomcat h2c Request Mix-up Vulnerability (CVE-2021-25122)

Apache Tomcat h2c Request Mix-up Vulnerability (CVE-2021-25122)

Mar 03, 2021 GMT+08:00

I. Overview

The Apache Tomcat security team has identified an h2c connection request mix-up vulnerability (CVE-2021-25122) in some specific Apache Tomcat versions. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another. This means user A and user B could both see the results of user A's request.

If you are a Tomcat user, check your system and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Tomcat 10.0.0-M1 to 10.0.0

Apache Tomcat 9.0.0.M1 to 9.0.41

Apache Tomcat 8.5.0 to 8.5.61

Secure versions:

Apache Tomcat 10.0.2 or later

Apache Tomcat 9.0.43 or later

Apache Tomcat 8.5.63 or later

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

Apache Tomcat 10.x

Apache Tomcat 9.x

Apache Tomcat 8.x

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.