CVE-2021-41973 — MEDIUM (6.5)

Q: How severe is CVE-2021-41973?

CVE-2021-41973 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-41973?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Mina, Oracle Banking Payments, Oracle Banking Trade Finance Process Management, Oracle Banking Treasury Management, Oracle Communications Cloud Native Core Console.

Vulnerability Description

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Mina	< 2.0.22
Oracle	Banking Payments	14.5
Oracle	Banking Trade Finance Process Management	14.5
Oracle	Banking Treasury Management	14.5
Oracle	Communications Cloud Native Core Console	1.9.0
Oracle	Customer Management And Segmentation Foundation	18.0
Oracle	Flexcube Universal Banking	>= 14.0, <= 14.3
Oracle	Fusion Middleware Common Libraries And Tools	12.2.1.3.0
Oracle	Oss Support Tools	2.12.42

Related Weaknesses (CWE)

CWE-835

References

http://www.openwall.com/lists/oss-security/2021/11/01/2Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/01/8Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657fMailing ListPatchVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/01/2Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/01/8Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657fMailing ListPatchVendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-41973?

CVE-2021-41973 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer an...

How severe is CVE-2021-41973?

CVE-2021-41973 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-41973?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Mina, Oracle Banking Payments, Oracle Banking Trade Finance Process Management, Oracle Banking Treasury Management, Oracle Communications Cloud Native Core Console.