A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00163.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Netapp
  • Active Iq Unified Manager
  • Oncommand Insight
  • Oncommand Workflow Automation
Redhat
  • Enterprise Linux
  • Fuse
  • Jboss Enterprise Application Platform
  • Jboss Fuse
  • Jbosseapxp
  • Openshift Application Runtimes
  • Red Hat Single Sign On
  • Single Sign-on
  • Undertow

Configuration 1 [-]

OR cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.0.35:-:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.0.36:-:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.0.39:-:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.2.6:-:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.2.7:-:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.2.9:-:*:*:*:*:*:*

Configuration 2 [-]

AND
OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*
OR cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Package CPE Advisory Released Date
EAP 7.3.9 release
undertow cpe:/a:redhat:jboss_enterprise_application_platform:7.3 RHSA-2021:3471 2021-09-08T00:00:00Z
EAP 7.4.1 release
cpe:/a:redhat:jboss_enterprise_application_platform:7.4 RHSA-2021:3660 2021-09-23T00:00:00Z
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
undertow cpe:/a:redhat:jbosseapxp RHSA-2021:3516 2021-09-13T00:00:00Z
Red Hat Fuse 7.10
undertow cpe:/a:redhat:jboss_fuse:7 RHSA-2021:5134 2021-12-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el6eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6 RHSA-2021:3466 2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7 RHSA-2021:3467 2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8 RHSA-2021:3468 2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 RHSA-2021:3658 2021-09-23T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 RHSA-2021:3656 2021-09-23T00:00:00Z
Red Hat Single Sign-On 7.4.9
undertow cpe:/a:redhat:red_hat_single_sign_on:7 RHSA-2021:3534 2021-09-14T00:00:00Z
Red Hat Support for Spring Boot 2.5.10
undertow cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2022:1179 2022-04-12T00:00:00Z

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-4550 A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
Github GHSA Github GHSA GHSA-mfhv-gwf8-4m88 undertow Race Condition vulnerability
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1970930 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-3597 cve-icon
https://security.netapp.com/advisory/ntap-20220804-0003/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-3597 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-03T17:01:07.706Z

Reserved: 2021-06-11T00:00:00

Link: CVE-2021-3597

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-05-24T19:15:09.037

Modified: 2024-11-21T06:21:56.077

Link: CVE-2021-3597

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-06-11T00:00:00Z

Links: CVE-2021-3597 - Bugzilla

cve-icon OpenCVE Enrichment

No data.