CVE-2021-4213 — Missing Release of Memory after Effective Lifetime in Network Security Services FOR Java

CWE-401 — Missing Release of Memory after Effective Lifetime6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dogtagpki Network Security Services FOR Java Debian Linux Redhat Enterprise Linux

Timeline

PublishedAug 24

Latest updateAug 25

Description

A flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDdogtagpki/network_security_services5.0.0 — 5.1.0+1

Also affects: Debian Linux 10.0, 11.0, Enterprise Linux 8.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-727r-5fr6-wjfp: A flaw was found in JSS, where it did not properly free up all memory↗2022-08-25

▶

CVEList

CVE-2021-4213: A flaw was found in JSS, where it did not properly free up all memory↗2022-08-24

▶

OSV

CVE-2021-4213: A flaw was found in JSS, where it did not properly free up all memory↗2022-08-24

▶

📋Vendor Advisories

Red Hat

JSS: memory leak in TLS connection leads to OOM↗2022-02-09

▶

Debian

CVE-2021-4213: jss - A flaw was found in JSS, where it did not properly free up all memory. Over time...↗2021

▶