Bzip2 Decompression Vulnerability in Netty Affects Multiple Implementations
CVE-2021-37136

7.5HIGH

Key Information:

Vendor: The Netty Project
Status: Netty
Vendor: CVE Published:; 19 October 2021

🔔 Create The Netty Project Vulnerability Alert

What is CVE-2021-37136?

The Bzip2 decompression function in the Netty framework is susceptible to vulnerabilities due to the lack of size restrictions on decompressed output data. This omission can lead to excessive memory allocation during decompression, resulting in Out Of Memory Errors (OOME) and potentially enabling denial of service (DoS) attacks. All users of the Bzip2Decoder component in their implementations are at risk, highlighting the need for immediate attention and remediation to ensure system stability and security.

Affected Version(s)

Netty < 4.1.68Final

References

https://github.com/netty/netty/security/advisories/GHSA-g...

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab...

mailing-list

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c...

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2021
Vulnerability Reserved
Jul 20, 2021