CVE-2021-3597 — undertow Race Condition vulnerability

Description

A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.

How to fix CVE-2021-3597

To remediate CVE-2021-3597, upgrade the affected package to a fixed version below.

—upgrade to 2.2.10-1 or later
—upgrade to 2.2.9.Final or later

Is CVE-2021-3597 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.2.10-1
>= 2.1.0, < 2.2.9.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3597
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3597
PATCHgithub.com/undertow-io/undertow
WEBbugzilla.redhat.com/show_bug.cgi?id=1970930
WEB