CVE-2021-41973: Apache MINA HTTP listener DOS
First published: Mon Nov 01 2021(Updated: )
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache MINA | <2.0.22 | |
| Apache MINA | >=2.1.0<2.1.5 | |
| Oracle Banking Payments | =14.5 | |
| Oracle Banking Trade Finance Process Management | =14.5 | |
| Oracle Banking Treasury Management | =14.5 | |
| oracle communications cloud native core console | =1.9.0 | |
| Oracle Customer Management and Segmentation Foundation | =18.0 | |
| Oracle Customer Management and Segmentation Foundation | =19.0 | |
| Oracle FLEXCUBE Universal Banking | >=14.0<=14.3 | |
| Oracle FLEXCUBE Universal Banking | =14.5 | |
| oracle fusion middleware common libraries and tools | =12.2.1.3.0 | |
| oracle fusion middleware common libraries and tools | =12.2.1.4.0 | |
| oracle fusion middleware common libraries and tools | =14.1.1.0.0 | |
| Oracle OSS Support Tools | =2.12.42 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-41973?
CVE-2021-41973 is classified as a high-severity vulnerability due to its potential to cause denial of service through an infinite loop.
How do I fix CVE-2021-41973?
To fix CVE-2021-41973, update Apache MINA to version 2.1.5 or greater.
What software is affected by CVE-2021-41973?
CVE-2021-41973 affects Apache MINA versions prior to 2.1.5 and several Oracle products including Banking Payments and FLEXCUBE Universal Banking.
What impact does CVE-2021-41973 have on systems?
CVE-2021-41973 can lead to a denial of service by making the HTTP Header decoder loop indefinitely.
Is there a workaround for CVE-2021-41973?
There is no known workaround for CVE-2021-41973; upgrading to the patched version is recommended.
- agent/references
- agent/type
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- agent/source
- vendor/apache
- canonical/apache mina
- version/apache mina/2.1.0
- vendor/oracle
- canonical/oracle banking payments
- version/oracle banking payments/14.5
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.5
- canonical/oracle banking treasury management
- version/oracle banking treasury management/14.5
- canonical/oracle communications cloud native core console
- version/oracle communications cloud native core console/1.9.0
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/18.0
- version/oracle customer management and segmentation foundation/19.0
- canonical/oracle flexcube universal banking
- version/oracle flexcube universal banking/14.0
- version/oracle flexcube universal banking/14.3
- version/oracle flexcube universal banking/14.5
- canonical/oracle fusion middleware common libraries and tools
- version/oracle fusion middleware common libraries and tools/12.2.1.3.0
- version/oracle fusion middleware common libraries and tools/12.2.1.4.0
- version/oracle fusion middleware common libraries and tools/14.1.1.0.0
- canonical/oracle oss support tools
- version/oracle oss support tools/2.12.42