CVE-2021-3690 - OpenCVE

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Integration Camel K Undertow Enterprise Linux Jboss Enterprise Application Platform Fuse Integration Camel Quarkus Single Sign-on Openshift Application Runtimes

Configuration 1 [-]

OR	cpe:2.3:a:redhat:fuse:1.0:::::::*
	cpe:2.3:a:redhat:integration_camel_k:-:::::::*
	cpe:2.3:a:redhat:integration_camel_quarkus:-:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::
	cpe:2.3:a:redhat:openshift_application_runtimes:-::::text-only:::
	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
	cpe:2.3:a:redhat:undertow::::::::
	cpe:2.3:a:redhat:undertow::::::::

Configuration 2 [-]

AND

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

Configuration 3 [-]

AND

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2021-3690	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1991299	Issue Tracking Vendor Advisory
https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877	Patch Third Party Advisory
https://issues.redhat.com/browse/UNDERTOW-1935	Exploit Issue Tracking Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2022-08-23T15:50:35

Updated: 2022-08-23T15:50:35

Reserved: 2021-08-09T00:00:00

Link: CVE-2021-3690

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-23T16:15:09.450

Modified: 2023-07-07T19:23:39.667

Link: CVE-2021-3690

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F039C746-2001-4EE5-835F-49607A94F12B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "matchCriteriaId": "542D0A09-0EF5-4BDB-AEE2-98E6FC6AB379", "versionEndExcluding": "2.0.40", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8982494-EED0-4EF7-8DF4-C8DB7D0D5F95", "versionEndExcluding": "2.2.10", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability."}, {"lang": "es", "value": "Se ha encontrado un fallo en Undertow. Un filtrado de b\u00fafer en el mensaje entrante de WebSocket PONG puede conllevar a el agotamiento de la memoria. Este fallo permite a un atacante causar una denegaci\u00f3n de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad."}], "id": "CVE-2021-3690", "lastModified": "2023-07-07T19:23:39.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-23T16:15:09.450", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2021-3690"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://issues.redhat.com/browse/UNDERTOW-1935"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}