Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05dmpwLXY3NmYtZzM2M80Vrw
SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way
Impact
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.
This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Impact
All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.
References
https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05dmpwLXY3NmYtZzM2M80Vrw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-9vjp-v76f-g363, CVE-2021-37137
References:
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
- https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
- https://nvd.nist.gov/vuln/detail/CVE-2021-37137
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220210-0012/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://www.debian.org/security/2023/dsa-5316
- https://github.com/advisories/GHSA-9vjp-v76f-g363
Blast Radius: 31.2
Affected Packages
maven:io.netty:netty
Dependent packages: 1,133Dependent repositories: 14,650
Downloads:
Affected Version Ranges: < 4.0.0
No known fixed version
All affected versions:
maven:org.jboss.netty:netty
Dependent packages: 324Dependent repositories: 1,820
Downloads:
Affected Version Ranges: < 4.0.0
No known fixed version
All affected versions:
maven:io.netty:netty-codec
Dependent packages: 1,302Dependent repositories: 4,698
Downloads:
Affected Version Ranges: >= 4.0.0, < 4.1.68.Final
Fixed in: 4.1.68.Final
All affected versions: 4.1.6-0.Final, 4.1.6-1.Final, 4.1.6-2.Final, 4.1.6-3.Final, 4.1.6-4.Final, 4.1.6-5.Final, 4.1.6-6.Final, 4.1.6-7.Final
All unaffected versions: