CVE-2021-30639: 
Java vulnerability analysis and mitigation

CVE-2021-30639 is a vulnerability discovered in Apache Tomcat that allows an attacker to remotely trigger a denial of service. The vulnerability was disclosed on July 12, 2021, affecting Apache Tomcat versions 10.0.3 to 10.0.4, 9.0.44, and 8.5.64. The issue stems from an error in handling non-blocking I/O operations (NVD, CVE).

The vulnerability arose from an error introduced during improvements to error handling in non-blocking I/O operations. The error flag associated with the Request object was not being reset between requests, causing all future requests handled by that request object to fail once a non-blocking I/O error occurred. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability allows attackers to trigger a denial of service condition. Users can trigger non-blocking I/O errors, for example by dropping a connection, which creates the possibility of a DoS attack. However, applications that do not use non-blocking I/O are not exposed to this vulnerability (NVD).

The vulnerability has been addressed in subsequent versions of Apache Tomcat. Organizations using affected versions (10.0.3 to 10.0.4, 9.0.44, and 8.5.64) should upgrade to patched versions. Various vendors have also released security updates to address this vulnerability in their products, including Oracle, NetApp, and McAfee (Oracle, NetApp).