CVE-2021-42340: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2021-42340) affects Apache Tomcat versions 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53, and 8.5.60 to 8.5.71. The issue was introduced in a fix for bug 63362, where an object used to collect metrics for HTTP upgrade connections was not properly released for WebSocket connections after closure (Apache Tomcat Announce).

The vulnerability is a memory leak issue where the object responsible for collecting metrics for HTTP upgrade connections remains unreleased specifically for WebSocket connections after they are closed. The severity is rated as HIGH with a CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The memory leak, if left unaddressed, could accumulate over time and eventually lead to a denial of service condition through an OutOfMemoryError, potentially affecting the availability of the Tomcat server (NVD).

The issue has been fixed in Apache Tomcat versions 8.5.72, 9.0.54, and 10.0.12. Users should upgrade to these or later versions to address the vulnerability. Multiple vendors have also released patches including Oracle, Debian, and NetApp (Debian Security, NetApp Advisory).