CVE-2021-3642
First published: Wed Jun 30 2021(Updated: )
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-apache-cxf | <0:3.3.12-1.redhat_00001.1.el6ea | 0:3.3.12-1.redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.5.3-1.Final_redhat_00001.1.el6ea | 0:1.5.3-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jakarta-el | <0:3.0.3-3.redhat_00007.1.el6ea | 0:3.0.3-3.redhat_00007.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.43-1.Final_redhat_00001.1.el6ea | 0:4.0.43-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-10.Final_redhat_00011.1.el6ea | 0:1.7.2-10.Final_redhat_00011.1.el6ea |
| redhat/eap7-jsoup | <0:1.14.2-1.redhat_00002.1.el6ea | 0:1.14.2-1.redhat_00002.1.el6ea |
| redhat/eap7-resteasy | <0:3.11.5-1.Final_redhat_00001.1.el6ea | 0:3.11.5-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-undertow | <0:2.0.41-1.SP1_redhat_00001.1.el6ea | 0:2.0.41-1.SP1_redhat_00001.1.el6ea |
| redhat/eap7-wildfly | <0:7.3.10-2.GA_redhat_00003.1.el6ea | 0:7.3.10-2.GA_redhat_00003.1.el6ea |
| redhat/eap7-wildfly-elytron | <0:1.10.15-1.Final_redhat_00001.1.el6ea | 0:1.10.15-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-wss4j | <0:2.2.7-1.redhat_00001.1.el6ea | 0:2.2.7-1.redhat_00001.1.el6ea |
| redhat/eap7-xml-security | <0:2.1.7-1.redhat_00001.1.el6ea | 0:2.1.7-1.redhat_00001.1.el6ea |
| redhat/eap7-apache-cxf | <0:3.3.12-1.redhat_00001.1.el7ea | 0:3.3.12-1.redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.5.3-1.Final_redhat_00001.1.el7ea | 0:1.5.3-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jakarta-el | <0:3.0.3-3.redhat_00007.1.el7ea | 0:3.0.3-3.redhat_00007.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.43-1.Final_redhat_00001.1.el7ea | 0:4.0.43-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-10.Final_redhat_00011.1.el7ea | 0:1.7.2-10.Final_redhat_00011.1.el7ea |
| redhat/eap7-jsoup | <0:1.14.2-1.redhat_00002.1.el7ea | 0:1.14.2-1.redhat_00002.1.el7ea |
| redhat/eap7-resteasy | <0:3.11.5-1.Final_redhat_00001.1.el7ea | 0:3.11.5-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-undertow | <0:2.0.41-1.SP1_redhat_00001.1.el7ea | 0:2.0.41-1.SP1_redhat_00001.1.el7ea |
| redhat/eap7-wildfly | <0:7.3.10-2.GA_redhat_00003.1.el7ea | 0:7.3.10-2.GA_redhat_00003.1.el7ea |
| redhat/eap7-wildfly-elytron | <0:1.10.15-1.Final_redhat_00001.1.el7ea | 0:1.10.15-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-wss4j | <0:2.2.7-1.redhat_00001.1.el7ea | 0:2.2.7-1.redhat_00001.1.el7ea |
| redhat/eap7-xml-security | <0:2.1.7-1.redhat_00001.1.el7ea | 0:2.1.7-1.redhat_00001.1.el7ea |
| redhat/eap7-apache-cxf | <0:3.3.12-1.redhat_00001.1.el8ea | 0:3.3.12-1.redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.5.3-1.Final_redhat_00001.1.el8ea | 0:1.5.3-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jakarta-el | <0:3.0.3-3.redhat_00007.1.el8ea | 0:3.0.3-3.redhat_00007.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.43-1.Final_redhat_00001.1.el8ea | 0:4.0.43-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-10.Final_redhat_00011.1.el8ea | 0:1.7.2-10.Final_redhat_00011.1.el8ea |
| redhat/eap7-jsoup | <0:1.14.2-1.redhat_00002.1.el8ea | 0:1.14.2-1.redhat_00002.1.el8ea |
| redhat/eap7-resteasy | <0:3.11.5-1.Final_redhat_00001.1.el8ea | 0:3.11.5-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.0.41-1.SP1_redhat_00001.1.el8ea | 0:2.0.41-1.SP1_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.3.10-2.GA_redhat_00003.1.el8ea | 0:7.3.10-2.GA_redhat_00003.1.el8ea |
| redhat/eap7-wildfly-elytron | <0:1.10.15-1.Final_redhat_00001.1.el8ea | 0:1.10.15-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wss4j | <0:2.2.7-1.redhat_00001.1.el8ea | 0:2.2.7-1.redhat_00001.1.el8ea |
| redhat/eap7-xml-security | <0:2.1.7-1.redhat_00001.1.el8ea | 0:2.1.7-1.redhat_00001.1.el8ea |
| redhat/eap7-wildfly-elytron | <0:1.15.5-1.Final_redhat_00001.1.el8ea | 0:1.15.5-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-elytron | <0:1.15.5-1.Final_redhat_00001.1.el7ea | 0:1.15.5-1.Final_redhat_00001.1.el7ea |
| redhat/Wildfly Elytron | <1.10.14. | 1.10.14. |
| redhat/Wildfly Elytron | <1.15.5. | 1.15.5. |
| redhat/Wildfly Elytron | <1.16.1. | 1.16.1. |
| Red Hat WildFly Elytron | <1.10.14 | |
| Red Hat WildFly Elytron | >=1.11.0<1.15.5 | |
| Red Hat WildFly Elytron | >=1.16.0<1.16.1 | |
| Red Hat Quarkus | ||
| Red Hat CodeReady Studio | =12.0 | |
| Red Hat Data Grid | =8.0 | |
| Red Hat Decision Manager | =7.0 | |
| Red Hat Integration - Camel K | ||
| Red Hat Quarkus | ||
| JBoss Enterprise Application Platform | =7.0.0 | |
| Red Hat JBoss Enterprise Application Platform Expansion Pack | ||
| Red Hat JBoss Fuse | =7.0.0 | |
| Red Hat OpenShift Application Runtimes | ||
| Red Hat Process Automation Manager | =7.0 | |
| Red Hat Quarkus | <=2.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1981407
- https://issues.redhat.com/browse/ELY-2147
- https://access.redhat.com/errata/RHSA-2021:3656
- https://access.redhat.com/errata/RHSA-2021:3658
- https://access.redhat.com/errata/RHSA-2021:3660
- https://access.redhat.com/errata/RHSA-2021:3880
- https://access.redhat.com/security/cve/cve-2021-3642
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:5150
- https://access.redhat.com/errata/RHSA-2021:5151
- https://access.redhat.com/errata/RHSA-2021:5154
- https://access.redhat.com/errata/RHSA-2021:5149
- https://access.redhat.com/errata/RHSA-2021:5170
- https://access.redhat.com/errata/RHSA-2022:0146
- https://access.redhat.com/errata/RHSA-2022:0520
- https://access.redhat.com/errata/RHSA-2022:1179
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5903
- https://www.cve.org/CVERecord?id=CVE-2021-3642 https://nvd.nist.gov/vuln/detail/CVE-2021-3642
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-3642?
The severity of CVE-2021-3642 is considered high due to its potential effect on confidentiality.
How do I fix CVE-2021-3642?
To fix CVE-2021-3642, upgrade Wildfly Elytron to versions 1.10.14.Final, 1.15.5.Final, or 1.16.1.Final or later.
What products are affected by CVE-2021-3642?
CVE-2021-3642 affects Wildfly Elytron versions prior to 1.10.14, 1.15.5, and 1.16.1 across several Red Hat packages.
What type of attack does CVE-2021-3642 expose?
CVE-2021-3642 exposes the application to timing attacks if ScramServer is enabled.
Is CVE-2021-3642 specific to any operating system?
CVE-2021-3642 affects Wildfly Elytron on multiple operating systems including Red Hat Enterprise Linux versions el6, el7, and el8.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3642
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat wildfly elytron
- version/red hat wildfly elytron/1.11.0
- version/red hat wildfly elytron/1.16.0
- canonical/red hat quarkus
- canonical/red hat codeready studio
- version/red hat codeready studio/12.0
- canonical/red hat data grid
- version/red hat data grid/8.0
- canonical/red hat decision manager
- version/red hat decision manager/7.0
- canonical/red hat integration - camel k
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/7.0.0
- canonical/red hat jboss enterprise application platform expansion pack
- canonical/red hat jboss fuse
- version/red hat jboss fuse/7.0.0
- canonical/red hat openshift application runtimes
- canonical/red hat process automation manager
- version/red hat process automation manager/7.0
- vendor/quarkus
- version/red hat quarkus/2.1.4