CVE-2021-3859 — HIGH (7.5) — White Hats Nepal

Q: What is CVE-2021-3859?

CVE-2021-3859 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

Q: How severe is CVE-2021-3859?

CVE-2021-3859 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3859?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Single Sign-On, Redhat Undertow, Netapp Cloud Secure Agent, Netapp Oncommand Insight.

Vulnerability Description

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Jboss Enterprise Application Platform	7.3
Redhat	Single Sign-On	7.4.10
Redhat	Undertow	< 2.2.15
Netapp	Cloud Secure Agent	-
Netapp	Oncommand Insight	-
Netapp	Oncommand Workflow Automation	-

Related Weaknesses (CWE)

CWE-668 CWE-214

References

https://access.redhat.com/security/cve/CVE-2021-3859Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2010378Issue TrackingVendor Advisory
https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a8PatchThird Party Advisory
https://github.com/undertow-io/undertow/pull/1296Third Party Advisory
https://issues.redhat.com/browse/UNDERTOW-1979Issue TrackingPatchVendor Advisory
https://security.netapp.com/advisory/ntap-20221201-0004/Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-3859Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2010378Issue TrackingVendor Advisory
https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a8PatchThird Party Advisory
https://github.com/undertow-io/undertow/pull/1296Third Party Advisory
https://issues.redhat.com/browse/UNDERTOW-1979Issue TrackingPatchVendor Advisory
https://security.netapp.com/advisory/ntap-20221201-0004/Third Party Advisory

FAQ

What is CVE-2021-3859?

CVE-2021-3859 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

How severe is CVE-2021-3859?

CVE-2021-3859 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3859?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Single Sign-On, Redhat Undertow, Netapp Cloud Secure Agent, Netapp Oncommand Insight.