Vulnerability Name:

CVE-2021-3642 (CCN-206866)

Assigned:2021-07-12
Published:2021-07-12
Updated:2021-10-20
Summary:A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
3.1 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.7 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-203
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-3642

Source: CCN
Type: Red Hat Bugzilla - Bug 1981407
CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1981407

Source: XF
Type: UNKNOWN
wildfly-cve20213642-info-disc(206866)

Source: CCN
Type: WildFly Web site
WildFly Elytron is a set of Java APIs and SPIs for application server and client side security.

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:wildfly_elytron:*:*:*:*:*:*:*:* (Version < 1.10.14)
  • OR cpe:/a:redhat:wildfly_elytron:*:*:*:*:*:*:*:* (Version >= 1.11.0 and < 1.15.5)
  • OR cpe:/a:redhat:wildfly_elytron:*:*:*:*:*:*:*:* (Version >= 1.16.0 and < 1.16.1)

  • Configuration 2:
  • cpe:/a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:data_grid:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:descision_manager:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:integration_camel_quarkus:*:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:process_automation:7.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/a:quarkus:quarkus:*:*:*:*:*:*:*:* (Version <= 2.1.4)

  • * Denotes that component is vulnerable
    BACK
    redhat wildfly elytron *
    redhat wildfly elytron *
    redhat wildfly elytron *
    redhat build of quarkus -
    redhat codeready studio 12.0
    redhat data grid 8.0
    redhat descision manager 7.0
    redhat integration camel k -
    redhat integration camel quarkus *
    redhat jboss enterprise application platform 7.0.0
    redhat jboss enterprise application platform expansion pack -
    redhat jboss fuse 7.0.0
    redhat openshift application runtimes -
    redhat process automation 7.0
    quarkus quarkus *