Skip to main content

Loop with Unreachable Exit Condition ('Infinite Loop')

CVE-2021-41079

Severity High
Score 7.5/10

Summary

Apache Tomcat 8.5.0 through 8.5.63, 9.0.0-M1 through 9.0.43, and 10.0.0-M1 through 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-835 - Loop with Unreachable Exit Condition

Loops with multiple exits and flags detract from the quality of an application. They tend to make control structures difficult to understand, and introduce the risk of non-termination and other structural problems. The vulnerability “loop with unreachable exit condition” enables attackers to exploit this flaw, leading to denial of service.

Advisory Timeline

  • Published