CVE-2021-3597 - OpenCVE

A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:H/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	Active Iq Unified Manager Oncommand Insight Oncommand Workflow Automation
Redhat	Enterprise Linux Fuse Jboss Enterprise Application Platform Jboss Fuse Jbosseapxp Openshift Application Runtimes Red Hat Single Sign On Single Sign-on Undertow

Configuration 1 [-]

OR	cpe:2.3:a:redhat:fuse:1.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::
	cpe:2.3:a:redhat:openshift_application_runtimes:-::::text-only:::
	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
	cpe:2.3:a:redhat:undertow::::::::
	cpe:2.3:a:redhat:undertow::::::::
	cpe:2.3:a:redhat:undertow:2.0.35:-::::::
	cpe:2.3:a:redhat:undertow:2.0.36:-::::::
	cpe:2.3:a:redhat:undertow:2.0.39:-::::::
	cpe:2.3:a:redhat:undertow:2.2.6:-::::::
	cpe:2.3:a:redhat:undertow:2.2.7:-::::::
	cpe:2.3:a:redhat:undertow:2.2.9:-::::::

Configuration 2 [-]

AND

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:::::::*

OR	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*

Package	CPE	Advisory	Released Date
EAP 7.3.9 release
undertow	cpe:/a:redhat:jboss_enterprise_application_platform:7.3	RHSA-2021:3471	2021-09-08T00:00:00Z
EAP 7.4.1 release
	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2021:3660	2021-09-23T00:00:00Z
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
undertow	cpe:/a:redhat:jbosseapxp	RHSA-2021:3516	2021-09-13T00:00:00Z
Red Hat Fuse 7.10
undertow	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:5134	2021-12-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:3466	2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:3467	2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-hal-console-0:3.2.16-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-hibernate-0:5.3.20-4.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-9.Final_redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-narayana-0:5.9.12-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-undertow-0:2.0.39-1.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-wildfly-0:7.3.9-2.GA_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-wildfly-http-client-0:1.0.29-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:3468	2021-09-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2021:3658	2021-09-23T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2021:3656	2021-09-23T00:00:00Z
Red Hat Single Sign-On 7.4.9
undertow	cpe:/a:redhat:red_hat_single_sign_on:7	RHSA-2021:3534	2021-09-14T00:00:00Z
Red Hat Support for Spring Boot 2.5.10
undertow	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:1179	2022-04-12T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1970930
https://nvd.nist.gov/vuln/detail/CVE-2021-3597
https://security.netapp.com/advisory/ntap-20220804-0003/
https://www.cve.org/CVERecord?id=CVE-2021-3597

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-05-24T18:19:11

Updated: 2024-08-03T17:01:07.706Z

Reserved: 2021-06-11T00:00:00

Link: CVE-2021-3597

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-24T19:15:09.037

Modified: 2022-11-10T16:43:28.037

Link: CVE-2021-3597

Redhat

Severity : Moderate

Publid Date: 2021-06-11T00:00:00Z

Links: CVE-2021-3597 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object