Vulnerability Name:

CVE-2021-4213 (CCN-234328)

Assigned:2022-02-09
Published:2022-02-09
Updated:2022-08-29
Summary:A flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
8.6 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
7.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-401
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-4213

Source: MISC
Type: Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-4213

Source: CCN
Type: Red Hat Bugzilla - Bug 2042900
(CVE-2021-4213) - CVE-2021-4213 JSS: memory leak in TLS connection leads to OOM

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2042900

Source: XF
Type: UNKNOWN
dogtag-cve20214213-dos(234328)

Source: CCN
Type: JSS GIT Repository
Additional fix for TLS connection I missed from original patch

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/dogtagpki/jss/commit/3aabe0e9d59b0a42e68ac8cd0468f9c5179967d2

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/dogtagpki/jss/commit/5922560a78d0dee61af8a33cc9cfbf4cfa291448

Source: MISC
Type: Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-4213

Vulnerable Configuration:Configuration 1:
  • cpe:/a:dogtagpki:network_security_services_for_java:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.1.0)
  • OR cpe:/a:dogtagpki:network_security_services_for_java:*:*:*:*:*:*:*:* (Version < 4.9.3)

  • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20221851
    P
    RHSA-2022:1851: pki-core:10.6 security and bug fix update (Moderate)
    2022-05-10
    BACK
    dogtagpki network security services for java *
    dogtagpki network security services for java *
    redhat enterprise linux 8.0
    debian debian linux 10.0
    debian debian linux 11.0