CVE-2021-3859: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Undertow that affects client-side invocation timeout when making calls over HTTP2. The vulnerability, identified as CVE-2021-3859, was reported and addressed in late 2021. The issue affects Undertow versions prior to 2.2.15 and impacts various products that incorporate Undertow, including Red Hat JBoss Enterprise Application Platform and Red Hat Single Sign-On (Red Hat Advisory, NetApp Advisory).

The vulnerability occurs when continuation frames are not read correctly in HTTP2 communications, which can trigger client-side invocation timeout issues. The issue was assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to Denial of Service (DoS) conditions. The vulnerability affects the availability of the service while not impacting confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in multiple product versions including Undertow 2.2.15.Final. Various vendors have released patches and updates to address this vulnerability. For Red Hat products, fixes were released through multiple security advisories including RHSA-2022:0404 for JBoss EAP and RHSA-2022:0448 for Red Hat Single Sign-On (Red Hat Advisory, Red Hat Advisory).