Bug 1991299 (CVE-2021-3690) - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
Summary: CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may le...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1990700 1991309
TreeView+ depends on / blocked
 
Reported: 2021-08-09 00:08 UTC by Kunjan Rathod
Modified: 2021-09-23 16:30 UTC (History)
81 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
Clone Of:
Environment:
Last Closed: 2021-08-18 21:35:00 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3216 0 None None None 2021-08-18 18:05:45 UTC
Red Hat Product Errata RHSA-2021:3217 0 None None None 2021-08-18 18:11:45 UTC
Red Hat Product Errata RHSA-2021:3218 0 None None None 2021-08-18 18:08:19 UTC
Red Hat Product Errata RHSA-2021:3219 0 None None None 2021-08-18 18:19:01 UTC
Red Hat Product Errata RHSA-2021:3425 0 None None None 2021-09-09 06:19:24 UTC
Red Hat Product Errata RHSA-2021:3466 0 None None None 2021-09-08 14:07:10 UTC
Red Hat Product Errata RHSA-2021:3467 0 None None None 2021-09-08 14:09:31 UTC
Red Hat Product Errata RHSA-2021:3468 0 None None None 2021-09-08 14:05:06 UTC
Red Hat Product Errata RHSA-2021:3471 0 None None None 2021-09-08 13:06:17 UTC
Red Hat Product Errata RHSA-2021:3516 0 None None None 2021-09-13 17:34:36 UTC
Red Hat Product Errata RHSA-2021:3534 0 None None None 2021-09-14 12:38:15 UTC
Red Hat Product Errata RHSA-2021:3656 0 None None None 2021-09-23 16:16:15 UTC
Red Hat Product Errata RHSA-2021:3658 0 None None None 2021-09-23 16:25:04 UTC
Red Hat Product Errata RHSA-2021:3660 0 None None None 2021-09-23 16:30:41 UTC

Description Kunjan Rathod 2021-08-09 00:08:26 UTC
A vulnerability was found in Undertow where buffer leak on incoming websocket PONG message may lead to memory exhaustion. 

https://issues.redhat.com/browse/UNDERTOW-1935

Comment 22 errata-xmlrpc 2021-08-18 18:05:42 UTC
This issue has been addressed in the following products:

  EAP 7.3 async

Via RHSA-2021:3216 https://access.redhat.com/errata/RHSA-2021:3216

Comment 23 errata-xmlrpc 2021-08-18 18:08:15 UTC
This issue has been addressed in the following products:

  EAP 7.4 async

Via RHSA-2021:3218 https://access.redhat.com/errata/RHSA-2021:3218

Comment 24 errata-xmlrpc 2021-08-18 18:11:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:3217 https://access.redhat.com/errata/RHSA-2021:3217

Comment 25 errata-xmlrpc 2021-08-18 18:18:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:3219 https://access.redhat.com/errata/RHSA-2021:3219

Comment 26 Product Security DevOps Team 2021-08-18 21:35:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3690

Comment 29 errata-xmlrpc 2021-09-08 13:06:13 UTC
This issue has been addressed in the following products:

  EAP 7.3.9 release

Via RHSA-2021:3471 https://access.redhat.com/errata/RHSA-2021:3471

Comment 30 errata-xmlrpc 2021-09-08 14:05:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:3468 https://access.redhat.com/errata/RHSA-2021:3468

Comment 31 errata-xmlrpc 2021-09-08 14:07:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:3466 https://access.redhat.com/errata/RHSA-2021:3466

Comment 32 errata-xmlrpc 2021-09-08 14:09:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:3467 https://access.redhat.com/errata/RHSA-2021:3467

Comment 33 errata-xmlrpc 2021-09-09 06:19:20 UTC
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.3.10

Via RHSA-2021:3425 https://access.redhat.com/errata/RHSA-2021:3425

Comment 34 errata-xmlrpc 2021-09-13 17:34:32 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP 2.0.0 via EAP 7.3.x base

Via RHSA-2021:3516 https://access.redhat.com/errata/RHSA-2021:3516

Comment 35 errata-xmlrpc 2021-09-14 12:38:11 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.9

Via RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534

Comment 36 errata-xmlrpc 2021-09-23 16:16:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656

Comment 37 errata-xmlrpc 2021-09-23 16:24:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658

Comment 38 errata-xmlrpc 2021-09-23 16:30:37 UTC
This issue has been addressed in the following products:

  EAP 7.4.1 release

Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660


Note You need to log in before you can comment on or make changes to this bug.