Vulnerability Name: CVE-2021-41973 (CCN-212552) Assigned: 2021-11-01 Published: 2021-11-01 Updated: 2022-05-02 Summary: In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater. CVSS v3 Severity: 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
Vulnerability Type: CWE-835 Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2021-41973 [oss-security] 20211101 [ANNOUNCE] Apache MINA 2.0.22 & 2.1.5 released [oss-security] 20211101 CVE-2021-41973: Apache MINA HTTP listener DOS apache-cve202141973-dos(212552) https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E [ANNOUNCE] Apache MINA 2.0.22 & 2.1.5 released Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html Vulnerable Configuration: Configuration 1 :cpe:/a:apache:mina:*:*:*:*:*:*:*:* (Version < 2.0.22)OR cpe:/a:apache:mina:*:*:*:*:*:*:*:* (Version >= 2.1.0 and < 2.1.5) Configuration 2 :cpe:/a:oracle:banking_payments:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* OR cpe:/a:oracle:customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:* (Version >= 14.0 and <= 14.3) OR cpe:/a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:fusion_middleware_common_libraries_and_tools:14.1.1.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:oss_support_tools:2.12.42:*:*:*:*:*:*:* BACK
apache mina *
apache mina *
oracle banking payments 14.5
oracle banking trade finance process management 14.5
oracle banking treasury management 14.5
oracle communications cloud native core console 1.9.0
oracle customer management and segmentation foundation 18.0
oracle customer management and segmentation foundation 19.0
oracle flexcube universal banking *
oracle flexcube universal banking 14.5
oracle fusion middleware common libraries and tools 12.2.1.3.0
oracle fusion middleware common libraries and tools 12.2.1.4.0
oracle fusion middleware common libraries and tools 14.1.1.0.0
oracle oss support tools 2.12.42
Denotes that component is vulnerable