CVE-2021-41973

moderate-risk

Published 2021-11-01

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

Do I need to act?

0.84% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (13)

Mina

Banking Payments

Banking Trade Finance Process Management

Banking Treasury Management

Communications Cloud Native Core Console

Customer Management And Segmentation Foundation

Flexcube Universal Banking

Fusion Middleware Common Libraries And Tools

Oss Support Tools

Affected Vendors

Apache Oracle

References (8)

Mailing List http://www.openwall.com/lists/oss-security/2021/11/01/2

Mailing List http://www.openwall.com/lists/oss-security/2021/11/01/8

Mailing List https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f...

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Mailing List http://www.openwall.com/lists/oss-security/2021/11/01/2

Mailing List http://www.openwall.com/lists/oss-security/2021/11/01/8

Mailing List https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f...

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 3/34 · Minimal

Exposure 17/34 · Moderate