Bzip2 Decompression Vulnerability in Netty Affects Multiple Implementations
CVE-2021-37136

7.5HIGH

Key Information:

Vendor
The Netty Project
Status
Netty
Vendor
CVE Published:
19 October 2021

Summary

The Bzip2 decompression function in the Netty framework is susceptible to vulnerabilities due to the lack of size restrictions on decompressed output data. This omission can lead to excessive memory allocation during decompression, resulting in Out Of Memory Errors (OOME) and potentially enabling denial of service (DoS) attacks. All users of the Bzip2Decoder component in their implementations are at risk, highlighting the need for immediate attention and remediation to ensure system stability and security.

Affected Version(s)

Netty < 4.1.68Final

References

https://github.com/netty/netty/security/advisories/GHSA-g...
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab...
mailing-list
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c...
mailing-list

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-37136 : Bzip2 Decompression Vulnerability in Netty Affects Multiple Implementations | SecurityVulnerability.io