CVE-2021-3859

Description

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.32%• Percentile: 55%

Techniques & Countermeasures

• CWE-668•Exposure of Resource to Wrong Sphere

  The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

• CWE-214•Invocation of Process Using Visible Sensitive Information

  A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Affected Systems

• io.undertow•undertow-core

  < 2.2.15

• netapp•cloud_secure_agent

  na

• netapp•oncommand_insight

  na

• netapp•oncommand_workflow_automation

  na

• redhat•jboss_enterprise_application_platform

  7.3 | 7.4

• redhat•single_sign-on

  7.4.10 | 7.5.1

• redhat•undertow

  < 2.2.15

References (11)

• https://bugzilla.redhat.com/show_bug.cgi?id=2010378
• https://issues.redhat.com/browse/UNDERTOW-1979
• https://github.com/undertow-io/undertow/pull/1296
• https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
• https://access.redhat.com/security/cve/CVE-2021-3859
• https://security.netapp.com/advisory/ntap-20221201-0004/
• https://nvd.nist.gov/vuln/detail/CVE-2021-3859
• https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8
• https://access.redhat.com/security/cve/cve-2021-3859
• https://github.com/undertow-io/undertow
• https://security.netapp.com/advisory/ntap-20221201-0004