{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-3859", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T17:09:09.581Z", "dateReserved": "2021-10-05T00:00:00", "datePublished": "2022-08-26T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-12-02T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks."}], "affected": [{"vendor": "n/a", "product": "undertow", "versions": [{"version": "Fixed in 2.2.15.Final", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"}, {"url": "https://issues.redhat.com/browse/UNDERTOW-1979"}, {"url": "https://github.com/undertow-io/undertow/pull/1296"}, {"url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"}, {"url": "https://access.redhat.com/security/cve/CVE-2021-3859"}, {"url": "https://security.netapp.com/advisory/ntap-20221201-0004/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-214 - Invocation of Process Using Visible Sensitive Information", "cweId": "CWE-214"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:09.581Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378", "tags": ["x_transferred"]}, {"url": "https://issues.redhat.com/browse/UNDERTOW-1979", "tags": ["x_transferred"]}, {"url": "https://github.com/undertow-io/undertow/pull/1296", "tags": ["x_transferred"]}, {"url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2021-3859", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221201-0004/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "914B069A-7ED5-4DA0-BD84-20BA86E9D1C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "B4DD1F37-BD9F-4BB9-AA28-AC695E124503", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "matchCriteriaId": "599687A7-A1D4-417E-BE51-612AF39BAF4C", "versionEndExcluding": "2.2.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks."}, {"lang": "es", "value": "Se ha encontrado un fallo en Undertow que dispara el tiempo de espera de la invocaci\u00f3n del lado del cliente con determinadas llamadas realizadas a trav\u00e9s de HTTP2. Este fallo permite a un atacante realizar ataques de denegaci\u00f3n de servicio."}], "id": "CVE-2021-3859", "lastModified": "2022-12-13T02:25:10.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-26T16:15:09.623", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2021-3859"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/undertow-io/undertow/pull/1296"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://issues.redhat.com/browse/UNDERTOW-1979"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221201-0004/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-214"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0406", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package": "undertow", "product_name": "EAP 7.3 async", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "moderate", "package": "undertow", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2022:0404", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1.0", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0405", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-undertow-0:2.0.41-2.SP2_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0405", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-undertow-0:2.0.41-2.SP2_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0405", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-undertow-0:2.0.41-2.SP2_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0401", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.13-1.SP2_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0400", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-0:2.2.13-1.SP2_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0408", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "product_name": "Red Hat Single Sign-On 7.4.10", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0447", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7", "package": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 7", "release_date": "2022-02-07T00:00:00Z"}, {"advisory": "RHSA-2022:0448", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8", "package": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 8", "release_date": "2022-02-07T00:00:00Z"}, {"advisory": "RHSA-2022:1179", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "undertow", "product_name": "Red Hat Support for Spring Boot 2.5.10", "release_date": "2022-04-12T00:00:00Z"}, {"advisory": "RHSA-2022:0409", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso74-openshift-rhel8:7.4-44", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0410", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso74-openj9-openshift-rhel8:7.4-59", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0415", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "redhat-sso-7-sso75-openshift-rhel8-container-7.5-16", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0415", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-8", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-02-02T00:00:00Z"}, {"advisory": "RHSA-2022:0407", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "product_name": "RHSSO 7.5.1", "release_date": "2022-02-02T00:00:00Z"}], "bugzilla": {"description": "undertow: client side invocation timeout raised when calling over HTTP2", "id": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-214", "details": ["A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks."], "name": "CVE-2021-3859", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "impact": "low", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-02-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3859\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3859"], "statement": "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "threat_severity": "Important"}