CVE-2021-3597
undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
Severity Score
5.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
Se ha encontrado un fallo en Undertow. El HTTP2SourceChannel no escribe la última trama en algunas circunstancias, resultando en una denegación de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad. Este fallo afecta a Undertow versiones anteriores a 2.0.35.SP1, anteriores a 2.2.6.SP1, anteriores a 2.2.7.SP1, anteriores a 2.0.36.SP1, anteriores a 2.2.9.Final y anteriores a 2.0.39.Final
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, and traversal vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-06-11 CVE Reserved
- 2021-09-08 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20220804-0003 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1970930 | 2022-04-12 | |
| https://access.redhat.com/security/cve/CVE-2021-3597 | 2022-04-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Fuse Search vendor "Redhat" for product "Fuse" | 1.0 Search vendor "Redhat" for product "Fuse" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | - | text-only |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes" | - | text-only |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | - | text-only |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | < 2.0.35 Search vendor "Redhat" for product "Undertow" and version " < 2.0.35" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | >= 2.2.0 < 2.2.6 Search vendor "Redhat" for product "Undertow" and version " >= 2.2.0 < 2.2.6" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.0.35 Search vendor "Redhat" for product "Undertow" and version "2.0.35" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.0.36 Search vendor "Redhat" for product "Undertow" and version "2.0.36" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.0.39 Search vendor "Redhat" for product "Undertow" and version "2.0.39" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.2.6 Search vendor "Redhat" for product "Undertow" and version "2.2.6" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.2.7 Search vendor "Redhat" for product "Undertow" and version "2.2.7" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | 2.2.9 Search vendor "Redhat" for product "Undertow" and version "2.2.9" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | linux |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | windows |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||