CVE-2021-37137
DoS (Denial of Service) vulnerability in netty-codec (Maven)
What is CVE-2021-37137 About?
This vulnerability in the Snappy frame decoder function can lead to excessive memory usage, resulting in a Denial of Service (DoS) attack. It arises from unrestricted chunk lengths or buffering of large skippable chunks. Exploiting this issue is relatively easy, requiring only specially crafted malicious input.
Affected Software
Technical Details
The SnappyFrameDecoder, specifically in methods like 'decode' around lines 79, 171, and 185 within 'codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java', fails to impose proper restrictions on the length of incoming Snappy frame chunks. This lack of restriction allows an attacker to supply malicious input that, when decompressed, expands to an excessively large size, or to send a huge skippable chunk. The decoder then attempts to buffer or process this oversized data, consuming an inordinate amount of memory. This excessive memory allocation starves the system of resources, leading to an OutOfMemoryError (OOME) and ultimately a Denial of Service for any application using the vulnerable SnappyFrameDecoder.
What is the Impact of CVE-2021-37137?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive memory resources, rendering the affected application or system unresponsive or crashing it.
What is the Exploitability of CVE-2021-37137?
Exploitation of this vulnerability is of low to medium complexity, as it primarily involves crafting and delivering malicious input. No specific authentication or privilege escalation is required; attackers typically need only to be able to send data to the application utilizing the vulnerable SnappyFrameDecoder, whether via a network stream or file upload. The vulnerability can be triggered remotely if the application processes untrusted input from external sources. The primary risk factor increasing exploit likelihood is the unvalidated handling of input data sizes, making any externally accessible endpoint that processes Snappy compressed data a potential target.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-37137?
Available Upgrade Options
- io.netty:netty-codec
- >4.0.0, <4.1.68.Final → Upgrade to 4.1.68.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
- https://security.netapp.com/advisory/ntap-20220210-0012
- https://osv.dev/vulnerability/GHSA-9vjp-v76f-g363
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
- https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f
- https://nvd.nist.gov/vuln/detail/CVE-2021-37137
What are Similar Vulnerabilities to CVE-2021-37137?
Similar Vulnerabilities: CVE-2021-37136 , CVE-2020-13956 , CVE-2018-12502 , CVE-2019-12086 , CVE-2022-24823
