{ "threat_severity" : "Moderate", "public_date" : "2021-03-29T00:00:00Z", "bugzilla" : { "description" : "undertow: potential security issue in flow control over HTTP/2 may lead to DOS", "id" : "1977362", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1977362" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.", "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability." ], "affected_release" : [ { "product_name" : "EAP 7.3.10 GA", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5154", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package" : "undertow" }, { "product_name" : "Red Hat EAP-XP 2 via EAP 7.3.x base", "release_date" : "2022-01-17T00:00:00Z", "advisory" : "RHSA-2022:0146", "cpe" : "cpe:/a:redhat:jbosseapxp", "package" : "undertow" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "undertow" }, { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel Quarkus 2", "release_date" : "2021-11-23T00:00:00Z", "advisory" : "RHSA-2021:4767", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2021-11-15T00:00:00Z", "advisory" : "RHSA-2021:4679", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "undertow" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jsoup-0:1.14.2-1.redhat_00002.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wss4j-0:2.2.7-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5149", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-xml-security-0:2.1.7-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jsoup-0:1.14.2-1.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wss4j-0:2.2.7-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5150", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-xml-security-0:2.1.7-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jsoup-0:1.14.2-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wss4j-0:2.2.7-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5151", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-xml-security-0:2.1.7-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2021-11-15T00:00:00Z", "advisory" : "RHSA-2021:4677", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-undertow-0:2.2.12-2.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2021-11-15T00:00:00Z", "advisory" : "RHSA-2021:4676", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-undertow-0:2.2.12-2.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat Single Sign-On 7.4.10", "release_date" : "2021-12-15T00:00:00Z", "advisory" : "RHSA-2021:5170", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7", "package" : "undertow" }, { "product_name" : "Red Hat Support for Spring Boot 2.5.10", "release_date" : "2022-04-12T00:00:00Z", "advisory" : "RHSA-2022:1179", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "undertow" }, { "product_name" : "RHAF Camel-K 1.8", "release_date" : "2022-09-09T00:00:00Z", "advisory" : "RHSA-2022:6407", "cpe" : "cpe:/a:redhat:integration:1", "package" : "undertow" } ], "package_state" : [ { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "low" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "low" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "low" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Out of support scope", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3629\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3629" ], "name" : "CVE-2021-3629", "csaw" : false }