CVE-2021-3629: 
Java vulnerability analysis and mitigation

A flaw was discovered in Undertow (CVE-2021-3629) related to flow control handling by the browser over HTTP/2. The vulnerability affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. This security issue was first reported on June 29, 2021, and primarily impacts the availability of affected systems (Red Hat Bugzilla, NVD).

The vulnerability is classified as an Uncontrolled Resource Consumption (CWE-400) issue. It has a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it requires no privileges or user interaction to exploit, but has high attack complexity. The vulnerability specifically affects the HTTP/2 flow control handling mechanism in Undertow (NVD).

The primary impact of this vulnerability is on system availability. When successfully exploited, it can cause overhead or a denial of service (DoS) condition in the affected server. The vulnerability affects only the availability aspect, with no impact on confidentiality or integrity of the system (NetApp Advisory).

The primary mitigation is to upgrade to the fixed versions of Undertow: version 2.0.40.Final or later for the 2.0.x series, or version 2.2.11.Final or later for the 2.2.x series. Multiple vendors have released security updates to address this vulnerability in their products, including Red Hat JBoss EAP and NetApp Active IQ Unified Manager (Red Hat Bugzilla, NetApp Advisory).