CVE-2021-37136
DoS (Denial of Service) vulnerability in netty-codec (Maven)
What is CVE-2021-37136 About?
This vulnerability affects the Bzip2 decompression decoder function, as it lacks size restrictions on decompressed output, leading to excessive memory allocation. This can result in an OutOfMemoryError (OOME) and a Denial of Service (DoS) attack. Exploitation is straightforward, requiring only malicious compressed input.
Affected Software
Technical Details
The Bzip2Decoder, referenced in its implementation around lines 80, 294, and 305 within 'codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java', does not enforce any size limitations on the data after decompression. This means that if a malicious actor provides a specially crafted Bzip2 compressed input, it can decompress into an extremely large amount of data. The decoder attempts to allocate memory for this unconstrained output, leading to an OutOfMemoryError (OOME). This OOME causes the application to crash or become unresponsive, resulting in a Denial of Service attack against all users of the Bzip2Decoder.
What is the Impact of CVE-2021-37136?
Successful exploitation may allow attackers to cause a denial of service by triggering an OutOfMemoryError, leading to application crashes or unresponsiveness.
What is the Exploitability of CVE-2021-37136?
Exploitation of this vulnerability is relatively easy, requiring the crafting of a malicious Bzip2 compressed input. No authentication is typically needed if the application processes untrusted compressed data from external sources. The prerequisite for exploitation is an accessible endpoint that uses the Bzip2Decoder to process arbitrary Bzip2 compressed streams. There are no special privilege requirements, and the attack can be launched remotely. The primary risk factor is the application's acceptance and processing of untrusted Bzip2 compressed data without appropriate size validation on the decompressed output.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-37136?
Available Upgrade Options
- io.netty:netty-codec
- <4.1.68.Final → Upgrade to 4.1.68.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20220210-0012
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-37136?
Similar Vulnerabilities: CVE-2021-37137 , CVE-2019-12086 , CVE-2020-13956 , CVE-2022-24823 , CVE-2018-12502
