CVE-2021-37136

CWE-400Uncontrolled Resource Consumption9 documents8 sources
Severity
7.5HIGH
EPSS
1.2%
top 21.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
THE Netty Project NettyNetty NettyOracle Communications BRM - Elastic Charging Engine+16 more
Timeline
PublishedOct 19
Latest updateOct 15

Description

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages20 packages

NVDnetty/netty< 4.1.68
NVDquarkus/quarkus< 2.2.4

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
CVE-2021-37136: The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size us2021-10-19
CVEList
CVE-2021-37136: The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size us2021-10-19
GHSA
Bzip2Decoder doesn't allow setting size restrictions for decompressed data2021-09-09
OSV
Bzip2Decoder doesn't allow setting size restrictions for decompressed data2021-09-09

📋Vendor Advisories

4
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Netty) — CVE-2021-371362023-10-15
Ubuntu
Netty vulnerabilities2023-04-28
Red Hat
netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data2021-09-09
Debian
CVE-2021-37136: netty - The Bzip2 decompression decoder function doesn't allow setting size restrictions...2021