CVE-2021-41973

Apache MINA HTTP listener DOS

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

En Apache MINA, una petición HTTP específicamente diseñada y malformada puede causar que el decodificador de encabezados HTTP haga un bucle indefinido. El decodificador asume que el encabezado HTTP comienza al principio del buffer y hace un bucle si presenta más datos de los esperados. Por favor, actualice MINA a versión 2.1.5 o superior

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-10-04 CVE Reserved
2021-11-01 CVE Published
2024-07-17 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (4)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/11/01/8	Mailing List

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/11/01/2	2022-05-02
https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E	2022-05-02
https://www.oracle.com/security-alerts/cpuapr2022.html	2022-05-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Mina Search vendor "Apache" for product "Mina"				< 2.0.22 Search vendor "Apache" for product "Mina" and version " < 2.0.22"		-		Affected
Apache Search vendor "Apache"		Mina Search vendor "Apache" for product "Mina"				>= 2.1.0 < 2.1.5 Search vendor "Apache" for product "Mina" and version " >= 2.1.0 < 2.1.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Payments Search vendor "Oracle" for product "Banking Payments"				14.5 Search vendor "Oracle" for product "Banking Payments" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.5 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management"				14.5 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Customer Management And Segmentation Foundation"				18.0 Search vendor "Oracle" for product "Customer Management And Segmentation Foundation" and version "18.0"		-		Affected
Oracle Search vendor "Oracle"		Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Customer Management And Segmentation Foundation"				19.0 Search vendor "Oracle" for product "Customer Management And Segmentation Foundation" and version "19.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				>= 14.0 <= 14.3 Search vendor "Oracle" for product "Flexcube Universal Banking" and version " >= 14.0 <= 14.3"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				14.5 Search vendor "Oracle" for product "Flexcube Universal Banking" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Fusion Middleware Common Libraries And Tools Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools"				12.2.1.3.0 Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Fusion Middleware Common Libraries And Tools Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools"				12.2.1.4.0 Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Fusion Middleware Common Libraries And Tools Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools"				14.1.1.0.0 Search vendor "Oracle" for product "Fusion Middleware Common Libraries And Tools" and version "14.1.1.0.0"		-		Affected
Oracle Search vendor "Oracle"		Oss Support Tools Search vendor "Oracle" for product "Oss Support Tools"				2.12.42 Search vendor "Oracle" for product "Oss Support Tools" and version "2.12.42"		-		Affected