CVE-2021-3690: 
Java vulnerability analysis and mitigation

CVE-2021-3690 is a vulnerability discovered in Undertow, where a buffer leak on incoming WebSocket PONG messages can lead to memory exhaustion. The vulnerability was reported on August 9, 2021, affecting various versions of the Undertow framework. This flaw primarily impacts applications using WebSocket implementations in Undertow, particularly those handling PONG messages (CVE Details, Red Hat CVE).

The vulnerability occurs when a WebSocket endpoint that sends PING messages does not have a handler configured for PongMessage. This leads to a buffer leak in the WebSocket implementation, causing direct buffer memory to be exhausted over time. The issue manifests through XNIO001007 errors in server logs and can eventually cause the server to stop servicing requests. When configured with Byte Buffer Pool leak detection, the system logs buffer leak detection messages for each PONG frame received (Undertow Issue).

The primary impact of this vulnerability is on system availability. When exploited, it can lead to memory exhaustion and eventually cause a denial of service condition where the server stops servicing not only WebSocket connections but all requests. This makes the vulnerability particularly concerning for systems that rely heavily on WebSocket communications (CVE Details).

A workaround exists by adding a PongMessage handler in the WebSocket endpoint's onOpen implementation. The fix involves adding the following code: session.addMessageHandler(PongMessage.class, new MessageHandler.Whole() { public void onMessage(PongMessage message) { } });. The issue has been addressed in multiple versions including Undertow 2.2.10.Final, 2.0.40.Final, and 1.4.18.SP13 (Undertow Issue, GitHub Commit).