Bug 2010378 (CVE-2021-3859) - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
Summary: CVE-2021-3859 undertow: client side invocation timeout raised when calling ov...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2005954 2010667
TreeView+ depends on / blocked
 
Reported: 2021-10-04 14:16 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-07-07 16:30 UTC (History)
86 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
Clone Of:
Environment:
Last Closed: 2022-02-07 14:43:25 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0400 0 None None None 2022-02-02 13:23:26 UTC
Red Hat Product Errata RHSA-2022:0401 0 None None None 2022-02-02 13:26:41 UTC
Red Hat Product Errata RHSA-2022:0404 0 None None None 2022-02-02 13:30:10 UTC
Red Hat Product Errata RHSA-2022:0405 0 None None None 2022-02-02 13:52:40 UTC
Red Hat Product Errata RHSA-2022:0406 0 None None None 2022-02-02 13:51:20 UTC
Red Hat Product Errata RHSA-2022:0407 0 None None None 2022-02-02 14:50:05 UTC
Red Hat Product Errata RHSA-2022:0408 0 None None None 2022-02-02 14:57:27 UTC
Red Hat Product Errata RHSA-2022:0409 0 None None None 2022-02-02 14:59:53 UTC
Red Hat Product Errata RHSA-2022:0410 0 None None None 2022-02-02 15:00:34 UTC
Red Hat Product Errata RHSA-2022:0415 0 None None None 2022-02-02 20:51:56 UTC
Red Hat Product Errata RHSA-2022:0447 0 None None None 2022-02-07 13:53:33 UTC
Red Hat Product Errata RHSA-2022:0448 0 None None None 2022-02-07 13:52:38 UTC
Red Hat Product Errata RHSA-2022:1179 0 None None None 2022-04-12 19:07:02 UTC
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:21:24 UTC

Description Guilherme de Almeida Suckevicz 2021-10-04 14:16:47 UTC
Invocation of an EJB is failing on the client side with the invocation-timeout being hit.

Reference:
https://issues.redhat.com/browse/EAPSUP-651

Comment 18 Jonathan Christison 2021-10-26 15:19:20 UTC
Comment made in error

Comment 19 Jonathan Christison 2021-11-09 13:59:52 UTC
Marking Red Hat Fuse 6 as being affected at a low impact, this is because although versions of undertow affected by this vulnerability are distributed and used by Fuse 6, the vulnerable HTTP2 functionality in undertow is not used in Fuse 6. 

This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 25 errata-xmlrpc 2022-02-02 13:23:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:0400 https://access.redhat.com/errata/RHSA-2022:0400

Comment 26 errata-xmlrpc 2022-02-02 13:26:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:0401 https://access.redhat.com/errata/RHSA-2022:0401

Comment 27 errata-xmlrpc 2022-02-02 13:30:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:0404 https://access.redhat.com/errata/RHSA-2022:0404

Comment 28 errata-xmlrpc 2022-02-02 13:51:14 UTC
This issue has been addressed in the following products:

  EAP 7.3 async

Via RHSA-2022:0406 https://access.redhat.com/errata/RHSA-2022:0406

Comment 29 errata-xmlrpc 2022-02-02 13:52:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2022:0405 https://access.redhat.com/errata/RHSA-2022:0405

Comment 30 errata-xmlrpc 2022-02-02 14:50:01 UTC
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0407 https://access.redhat.com/errata/RHSA-2022:0407

Comment 31 errata-xmlrpc 2022-02-02 14:57:22 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2022:0408 https://access.redhat.com/errata/RHSA-2022:0408

Comment 32 errata-xmlrpc 2022-02-02 14:59:48 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0409 https://access.redhat.com/errata/RHSA-2022:0409

Comment 33 errata-xmlrpc 2022-02-02 15:00:30 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0410 https://access.redhat.com/errata/RHSA-2022:0410

Comment 34 errata-xmlrpc 2022-02-02 20:51:52 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0415 https://access.redhat.com/errata/RHSA-2022:0415

Comment 35 errata-xmlrpc 2022-02-07 13:52:34 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448

Comment 36 errata-xmlrpc 2022-02-07 13:53:28 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447

Comment 37 Product Security DevOps Team 2022-02-07 14:43:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3859

Comment 40 errata-xmlrpc 2022-04-12 19:06:57 UTC
This issue has been addressed in the following products:

  Red Hat Support for Spring Boot 2.5.10

Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179

Comment 41 errata-xmlrpc 2022-07-07 14:21:20 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532


Note You need to log in before you can comment on or make changes to this bug.