You are here

CVE-2021-43980 - Airlock IAM

java, tomcat

The Tomcat 9.0.62 Update includes a fix for CVE-2021-43980.

Update recommended for Airlock IAM. No actions required for Airlock Gateway.


CVE-2021-43980: Information Disclosure Vulnerability cause by open client connections sharing an Http11Processor instance. The vulnerability is very hard to trigger and thus has a CVSS 3.x Score of 3.7 (LOW). Gateways with appropriate request limits such as Airlock Gateway help to reduce the attack surface even more. Airlock IAM < 7.4.7, 7.5.4, 7.6.3, 7.7.1 are vulnerable. It is recommended to update Airlock IAM to >= 7.4.7, 7.5.4, 7.6.3, 7.7.1.

Airlock Gateway uses Tomcat for the Configuration Center. The affected connector (http/1.1) is not used (AJP is used instead).


Update affected Airlock IAM versions to Airlock IAM 7.4.7Airlock IAM 7.5.4, Airlock IAM 7.6.3 or Airlock IAM 7.7.1.

General Advice: We recommend to update all backends using tomcat < 9.0.62

Authentication service
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution