#VU56025 Memory leak in Undertow - CVE-2021-3690

Cybersecurity Help s.r.o.

Published: 2021-08-22

Vulnerability identifier: #VU56025

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3690

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Undertow
Server applications / Web servers

Vendor: Red Hat Inc.

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing incoming PONG messages. A remote attacker can force the application to leak memory by sending an websocket PONG message and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Undertow: 2.0.0.Alpha1 - 2.2.9

External links
https://issues.redhat.com/browse/UNDERTOW-1935
https://bugzilla.redhat.com/show_bug.cgi?id=1991299

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Communications Cloud Native Core Network Slice Selection Function

Multiple vulnerabilities in Fuse 7.10

Denial of service in Undertow