CVE-2021-3859 Overview
A denial of service vulnerability was discovered in Red Hat Undertow, a flexible and performant web server written in Java. The flaw exists in how Undertow handles HTTP/2 continuation frames, causing client-side invocation timeouts with certain calls made over HTTP2. This vulnerability allows remote attackers to carry out denial of service attacks against affected applications without requiring authentication.
Critical Impact
Remote attackers can exploit this vulnerability over the network to cause denial of service conditions against applications using Undertow's HTTP/2 implementation, potentially disrupting critical enterprise services.
Affected Products
- Red Hat JBoss Enterprise Application Platform 7.3 and 7.4
- Red Hat Single Sign-On 7.4.10 and 7.5.1
- Red Hat Undertow (all vulnerable versions)
- NetApp Cloud Secure Agent
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
Discovery Timeline
- 2022-08-26 - CVE CVE-2021-3859 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3859
Vulnerability Analysis
The vulnerability resides in Undertow's HTTP/2 protocol implementation, specifically in how continuation frames are read and processed. HTTP/2 uses continuation frames to transmit large header blocks that exceed the maximum frame size. The flaw causes improper handling of these continuation frames, leading to client-side invocation timeouts when certain HTTP/2 calls are made.
The root issue relates to CWE-214 (Invocation of Process Using Visible Sensitive Information) and CWE-668 (Exposure of Resource to Wrong Sphere), indicating that the vulnerability exposes internal processing states that can be manipulated by attackers to cause service disruption.
Root Cause
The root cause lies in the HpackEncoder.java and Http2Channel.java components where continuation frames are not read correctly. When processing HTTP/2 header frames that require continuation, the iterator used to traverse header values was not properly advanced, and continuation frames arriving in the same buffer were not being consumed in a timely manner. This causes the frame parser to enter an inconsistent state, triggering client-side timeouts.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker can send specially crafted HTTP/2 requests that trigger the continuation frame handling flaw, causing the target server to experience processing delays and client-side invocation timeouts. This effectively denies service to legitimate users attempting to access the affected application.
// Patch in HpackEncoder.java - Iterator advancement fix
// Source: https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
if (headers != currentHeaders) {
throw new IllegalStateException();
}
+ it = headers.fiNext(it);
}
while (it != -1) {
HeaderValues values = headers.fiCurrent(it);
// Patch in Http2Channel.java - Continuation frame consumption fix
// Source: https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
@Override
protected FrameHeaderData parseFrame(ByteBuffer data) throws IOException {
+ Http2FrameHeaderParser frameParser;
+ do {
+ frameParser = parseFrameNoContinuation(data);
+ // if the frame requires continuation and there is remaining data in the buffer
+ // it should be consumed cos spec ensures the next frame is the continuation
+ } while(frameParser != null && frameParser.getContinuationParser() != null && data.hasRemaining());
+ return frameParser;
+ }
+
+ private Http2FrameHeaderParser parseFrameNoContinuation(ByteBuffer data) throws IOException {
if (prefaceCount < PREFACE_BYTES.length) {
while (data.hasRemaining() && prefaceCount < PREFACE_BYTES.length) {
if (data.get() != PREFACE_BYTES[prefaceCount]) {
Detection Methods for CVE-2021-3859
Indicators of Compromise
- Unusual patterns of HTTP/2 requests with large header blocks requiring continuation frames
- Increased client-side timeout errors in application logs
- Elevated connection reset or termination events on HTTP/2 endpoints
- Abnormal resource consumption patterns on Undertow-based application servers
Detection Strategies
- Monitor HTTP/2 traffic for requests with abnormally large HEADERS frames that trigger CONTINUATION frames
- Implement application-level logging to track HTTP/2 frame parsing errors and timeout events
- Deploy network intrusion detection rules to identify potential denial of service patterns against HTTP/2 endpoints
- Review JBoss EAP and Undertow logs for repeated client invocation timeout warnings
Monitoring Recommendations
- Enable verbose logging for Undertow's HTTP/2 handling components to capture frame processing anomalies
- Set up alerting for sudden increases in HTTP/2 connection failures or timeout events
- Monitor server resource utilization for signs of denial of service attacks targeting HTTP/2 services
- Track connection duration and frame processing times for HTTP/2 sessions
How to Mitigate CVE-2021-3859
Immediate Actions Required
- Update Undertow to a patched version that includes commit e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
- Upgrade Red Hat JBoss Enterprise Application Platform to the latest security-patched release
- Update Red Hat Single Sign-On to version 7.5.2 or later
- Review and apply vendor-specific patches for NetApp Cloud Secure Agent, OnCommand Insight, and OnCommand Workflow Automation
Patch Information
Red Hat has released security patches addressing this vulnerability. The fix modifies the HTTP/2 frame parsing logic in Http2Channel.java to properly consume continuation frames when they arrive in the same buffer as the initial header frame. Additionally, the patch corrects the iterator advancement issue in HpackEncoder.java to ensure proper header value traversal.
For detailed patch information, refer to:
- Red Hat CVE-2021-3859 Advisory
- Red Hat Bug Report 2010378
- GitHub Undertow Commit
- Red Hat Undertow Issue UNDERTOW-1979
- NetApp Security Advisory ntap-20221201-0004
Workarounds
- Consider disabling HTTP/2 support temporarily if patching is not immediately possible, falling back to HTTP/1.1
- Implement rate limiting on HTTP/2 connections to reduce the impact of potential denial of service attempts
- Deploy a web application firewall (WAF) capable of inspecting HTTP/2 traffic for malicious patterns
- Use network segmentation to limit exposure of vulnerable Undertow instances to untrusted networks
# Example: Disable HTTP/2 in JBoss EAP standalone configuration
# Edit standalone.xml and modify the undertow subsystem
# Locate the http-listener element and ensure http2-enable is set to false:
# <http-listener name="default" socket-binding="http" http2-enable="false"/>
# For HTTPS listener:
# <https-listener name="https" socket-binding="https" http2-enable="false" security-realm="ApplicationRealm"/>
# Restart JBoss EAP after configuration changes
systemctl restart jboss-eap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
