CVE-2021-3629
Description
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in Undertow's HTTP/2 flow control handling can be abused to cause resource exhaustion and denial of service on the server.
Vulnerability
A flaw exists in JBoss Undertow, a Java web server, within its handling of HTTP/2 flow control. The browser can manipulate flow control mechanisms to cause excessive overhead on the server, leading to a denial of service. This affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. The issue is described as a potential security issue in flow control handling by the browser over HTTP/2 [1][2].
Exploitation
An attacker does not require special authentication or network position; the vulnerability can be triggered by a malicious or compromised client (browser) that can send HTTP/2 frames that manipulate flow control windows. This can cause the server to waste resources processing these requests, potentially exhausting CPU and memory on the server side [1][2].
Impact
Successful exploitation results in a denial of service (availability impact) due to resource exhaustion. The highest threat from this vulnerability is availability, and no other CIA impact (confidentiality, integrity) is indicated. The server may become unresponsive or crash under the increased load [1][2].
Mitigation
This issue has been addressed in Undertow versions 2.0.40.Final and 2.2.11.Final. Red Hat has released patches for affected products, including EAP 7.4.2 and JBoss EAP for RHEL 7 and RHEL 8 (RHSA-2021:4679, RHSA-2021:4676, RHSA-2021:4677) as of November 2021. Users should upgrade to the fixed versions or apply the relevant Red Hat security updates [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | < 2.0.40.Final | 2.0.40.Final |
io.undertow:undertow-coreMaven | >= 2.1.0, < 2.2.11.Final | 2.2.11.Final |
Affected products
2- Undertow/Undertowdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rf6q-vx79-mjxrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3629ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220729-0008ghsaWEB
- security.netapp.com/advisory/ntap-20220729-0008/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.