CVE-2021-43980: 
Java vulnerability analysis and mitigation

CVE-2021-43980 is a concurrency vulnerability in Apache Tomcat that was discovered in the simplified implementation of blocking reads and writes. The vulnerability affects Apache Tomcat versions 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60, and 8.5.0 to 8.5.77. The issue was identified by Adam Thomas, Richard Hernandez, and Ryan Schmitt, who worked with the Tomcat security team to determine the root cause (OSS Security).

The vulnerability stems from a long-standing concurrency bug that was exposed when a simplified implementation of blocking reads and writes was introduced in Tomcat 10 and back-ported to Tomcat 9.0.47. The technical issue involves the sharing of Http11Processor instances between client connections, which can lead to information disclosure (CVE Mitre).

When exploited, this vulnerability can cause client connections to share an Http11Processor instance, resulting in responses or partial responses being received by the wrong client. This creates a significant information disclosure risk where sensitive data intended for one client could be exposed to another (Debian Security).

The issue has been addressed through security updates in various distributions. Debian has released fixes in version 9.0.31-1~deb10u7 for Debian 10 (Buster) and version 9.0.43-2~deb11u4 for the stable distribution (Bullseye). Users are recommended to upgrade their tomcat9 packages to the latest versions (Debian LTS).