Bug 2010378 (CVE-2021-3859)
| Summary: | CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, anstephe, antcosta, asoldano, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eleandro, emingora, eric.wittmann, etirelli, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, iweiss, janstey, jjoyce, jnethert, jochrist, jpallich, jperkins, jrokos, jschluet, jstastny, jwon, krathod, kverlaen, kwills, lgao, lhh, lpeer, lthon, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sclewis, scohen, sdouglas, security-response-team, slinaber, smaestri, sthorger, tom.jenkinson, tzimanyi, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-02-07 14:43:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2005954, 2010667 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-10-04 14:16:47 UTC
Comment made in error Marking Red Hat Fuse 6 as being affected at a low impact, this is because although versions of undertow affected by this vulnerability are distributed and used by Fuse 6, the vulnerable HTTP2 functionality in undertow is not used in Fuse 6. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:0400 https://access.redhat.com/errata/RHSA-2022:0400 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:0401 https://access.redhat.com/errata/RHSA-2022:0401 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:0404 https://access.redhat.com/errata/RHSA-2022:0404 This issue has been addressed in the following products: EAP 7.3 async Via RHSA-2022:0406 https://access.redhat.com/errata/RHSA-2022:0406 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2022:0405 https://access.redhat.com/errata/RHSA-2022:0405 This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0407 https://access.redhat.com/errata/RHSA-2022:0407 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.10 Via RHSA-2022:0408 https://access.redhat.com/errata/RHSA-2022:0408 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0409 https://access.redhat.com/errata/RHSA-2022:0409 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0410 https://access.redhat.com/errata/RHSA-2022:0410 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0415 https://access.redhat.com/errata/RHSA-2022:0415 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3859 This issue has been addressed in the following products: Red Hat Support for Spring Boot 2.5.10 Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179 This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2025:4226 https://access.redhat.com/errata/RHSA-2025:4226 |