CVE-2021-3597: Race Condition
First published: Fri Jun 11 2021(Updated: )
A flaw was found in undertow where HTTP2SourceChannel fails to write final frame under some circumstances may result in DoS. The highest impact of this vulnerability is availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el6ea | 0:2.10.0-1.redhat_00001.1.el6ea |
| redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el6ea | 0:3.2.16-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el6ea | 0:5.3.20-4.SP2_redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el6ea | 0:1.4.35-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el6ea | 0:3.0.3-2.redhat_00006.1.el6ea |
| redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el6ea | 0:1.3.9-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el6ea | 0:5.0.23-2.SP1_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el6ea | 0:1.7.2-9.Final_redhat_00010.1.el6ea |
| redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el6ea | 0:5.9.12-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el6ea | 0:5.0.3-9.Final_redhat_00008.1.el6ea |
| redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el6ea | 0:2.0.39-1.SP2_redhat_00001.1.el6ea |
| redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el6ea | 0:7.3.9-2.GA_redhat_00002.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el6ea | 0:1.0.29-1.Final_redhat_00002.1.el6ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el6ea | 0:1.1.14-2.Final_redhat_00001.1.el6ea |
| redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el7ea | 0:2.10.0-1.redhat_00001.1.el7ea |
| redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el7ea | 0:3.2.16-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el7ea | 0:5.3.20-4.SP2_redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el7ea | 0:1.4.35-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el7ea | 0:3.0.3-2.redhat_00006.1.el7ea |
| redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el7ea | 0:1.3.9-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el7ea | 0:5.0.23-2.SP1_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el7ea | 0:1.7.2-9.Final_redhat_00010.1.el7ea |
| redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el7ea | 0:5.9.12-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el7ea | 0:5.0.3-9.Final_redhat_00008.1.el7ea |
| redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el7ea | 0:2.0.39-1.SP2_redhat_00001.1.el7ea |
| redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el7ea | 0:7.3.9-2.GA_redhat_00002.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el7ea | 0:1.0.29-1.Final_redhat_00002.1.el7ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el7ea | 0:1.1.14-2.Final_redhat_00001.1.el7ea |
| redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el8ea | 0:2.10.0-1.redhat_00001.1.el8ea |
| redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el8ea | 0:3.2.16-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el8ea | 0:5.3.20-4.SP2_redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el8ea | 0:1.4.35-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el8ea | 0:3.0.3-2.redhat_00006.1.el8ea |
| redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el8ea | 0:1.3.9-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el8ea | 0:5.0.23-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el8ea | 0:1.7.2-9.Final_redhat_00010.1.el8ea |
| redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el8ea | 0:5.9.12-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el8ea | 0:5.0.3-9.Final_redhat_00008.1.el8ea |
| redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el8ea | 0:2.0.39-1.SP2_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el8ea | 0:7.3.9-2.GA_redhat_00002.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el8ea | 0:1.0.29-1.Final_redhat_00002.1.el8ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el8ea | 0:1.1.14-2.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.2.9-2.SP1_redhat_00001.1.el8ea | 0:2.2.9-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.2.9-2.SP1_redhat_00001.1.el7ea | 0:2.2.9-2.SP1_redhat_00001.1.el7ea |
| redhat/undertow | <2.0.35. | 2.0.35. |
| redhat/undertow | <2.2.6. | 2.2.6. |
| redhat/undertow | <2.0.36. | 2.0.36. |
| redhat/undertow | <2.2.9. | 2.2.9. |
| redhat/undertow | <2.0.39. | 2.0.39. |
| Red Hat Fuse | =1.0 | |
| JBoss Enterprise Application Platform | ||
| Red Hat OpenShift Application Runtimes | ||
| Red Hat Single Sign-On | ||
| Red Hat Undertow | <2.0.35 | |
| Red Hat Undertow | >=2.2.0<2.2.6 | |
| Red Hat Undertow | =2.0.35 | |
| Red Hat Undertow | =2.0.36 | |
| Red Hat Undertow | =2.0.39 | |
| Red Hat Undertow | =2.2.6 | |
| Red Hat Undertow | =2.2.7 | |
| Red Hat Undertow | =2.2.9 | |
| JBoss Enterprise Application Platform | =7.3 | |
| JBoss Enterprise Application Platform | =7.4 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| NetApp Active IQ Unified Manager | ||
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| NetApp Active IQ Unified Manager | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1970930
- https://security.netapp.com/advisory/ntap-20220804-0003/
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2021:3471
- https://access.redhat.com/errata/RHSA-2021:3468
- https://access.redhat.com/errata/RHSA-2021:3466
- https://access.redhat.com/errata/RHSA-2021:3467
- https://access.redhat.com/security/cve/cve-2021-3597
- https://access.redhat.com/errata/RHSA-2021:3516
- https://access.redhat.com/errata/RHSA-2021:3534
- https://access.redhat.com/errata/RHSA-2021:3656
- https://access.redhat.com/errata/RHSA-2021:3658
- https://access.redhat.com/errata/RHSA-2021:3660
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2022:1179
- https://www.cve.org/CVERecord?id=CVE-2021-3597 https://nvd.nist.gov/vuln/detail/CVE-2021-3597
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-3597?
CVE-2021-3597 has a high severity level due to its potential to cause a denial of service (DoS).
How do I fix CVE-2021-3597?
To mitigate CVE-2021-3597, users must upgrade to the patched versions of the affected software packages as indicated by Red Hat.
What software is affected by CVE-2021-3597?
CVE-2021-3597 impacts various versions of undertow and related packages in the Red Hat JBoss Enterprise Application Platform.
Is CVE-2021-3597 a local or remote vulnerability?
CVE-2021-3597 is a remote vulnerability, allowing attackers to potentially affect availability without local access.
What types of exploits are applicable to CVE-2021-3597?
Exploits for CVE-2021-3597 can lead to a denial of service by failing to write the final frame in an HTTP/2 connection.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3597
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat fuse
- version/red hat fuse/1.0
- canonical/jboss enterprise application platform
- canonical/red hat openshift application runtimes
- canonical/red hat single sign-on
- canonical/red hat undertow
- version/red hat undertow/2.2.0
- version/red hat undertow/2.0.35
- version/red hat undertow/2.0.36
- version/red hat undertow/2.0.39
- version/red hat undertow/2.2.6
- version/red hat undertow/2.2.7
- version/red hat undertow/2.2.9
- version/jboss enterprise application platform/7.3
- version/jboss enterprise application platform/7.4
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- vendor/netapp
- canonical/netapp active iq unified manager
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation