Vulnerability Details : CVE-2021-3597
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
Vulnerability category: Denial of service
Products affected by CVE-2021-3597
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:2.0.39:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:2.2.9:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:2.0.36:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:2.2.7:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:2.2.6:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:2.0.35:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
Threat overview for CVE-2021-3597
Top countries where our scanners detected CVE-2021-3597
Top open port discovered on systems with this issue
80
IPs affected by CVE-2021-3597 4,101
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-3597!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-3597
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3597
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:N/A:P |
4.9
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2021-3597
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-3597
-
https://bugzilla.redhat.com/show_bug.cgi?id=1970930
1970930 – (CVE-2021-3597) CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoSIssue Tracking;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220804-0003/
CVE-2021-3597 Undertow Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
Jump to