Bug 2004133 (CVE-2021-37136)

Summary: CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, caswilli, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, ehelms, eparis, eric.wittmann, etirelli, ewolinet, fjuma, ggaughan, gmalinko, gsmet, gvarsami, hamadhan, hbraun, ibek, iweiss, janstey, jburrell, jcantril, jcoleman, jjoyce, jnethert, jochrist, jokerman, jolee, jpallich, jrokos, jross, jschatte, jschluet, jsherril, jstastny, jwon, kaycoth, krathod, kverlaen, ldimaggi, lgao, lhh, lpeer, lthon, lzap, mburns, mhulan, mkolesni, mmccune, mnovotny, mosmerov, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rrajasek, rruss, rstancel, rsvoboda, rwagner, sbiarozk, sclewis, scohen, sd-operator-metering, sdouglas, sguilhen, slinaber, smaestri, sponnaga, sthorger, swoodman, tcunning, tkirby, tom.jenkinson, tzimanyi, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: netty-codec-4.1.68.Final Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-14 22:34:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2006304, 2012255    
Bug Blocks: 2004097    

Description Guilherme de Almeida Suckevicz 2021-09-14 14:39:08 UTC 
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.

Reference:
https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
Comment 1 Jonathan Christison 2021-09-14 17:04:55 UTC 
Marking Red Hat AMQ Broker 7 as having a low impact, this is because although a vulnerable version of netty is used it does not use Bzip2 compression/decompression.
Comment 3 Patrick Del Bello 2021-09-16 13:29:05 UTC 
Marking Fuse 6 as OOSS and adjusting Fuse 7 to Low Impact. Netty-codec vulnerable version is present but no use of Bzip2 compression/decompression.
Comment 5 juneau 2021-09-16 15:45:13 UTC 
Marking c.r.c|Insights|MAS affected/ooss. Vulnerable code is present but appears unused.
Comment 6 Yadnyawalk Tale 2021-09-21 13:09:08 UTC 
Reducing Satellite's severity to Low as flaw doesn't affect product directly in code as it does not make use of netty-codec's Bzip2Decoder.
Comment 14 Jonathan Christison 2021-10-08 15:10:40 UTC 
Marking Red Hat AMQ Streams, Red Hat Integration Camel K, Red Hat Integration Camel Quarkus as having a low impact, this is because a vulnerable version of netty is distributed in these products and used but the vulnerable Bzip2 decoder is not used.
Comment 16 Jonathan Christison 2021-10-08 15:53:06 UTC 
Marking Red Hat Service Registry 1 & 2 as having a low impact, this is because a vulnerable version of netty is distributed in these products and used but the vulnerable Bzip2 decoder is not used.
Comment 18 Hardik Vyas 2021-10-08 17:03:09 UTC 
Upstream commit: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020
Comment 21 Jonathan Christison 2021-10-13 09:03:58 UTC 
Marking Quarkus as a low impact, this is because a vulnerable version of netty is distributed in these products and used but the vulnerable Bzip2 decoder is not used.
Comment 24 errata-xmlrpc 2021-11-10 16:41:01 UTC 
This issue has been addressed in the following products:

  Vert.x 4.1.5

Via RHSA-2021:3959 https://access.redhat.com/errata/RHSA-2021:3959
Comment 25 errata-xmlrpc 2021-11-30 08:44:38 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.1

Via RHSA-2021:4851 https://access.redhat.com/errata/RHSA-2021:4851
Comment 28 errata-xmlrpc 2021-12-14 17:07:56 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2021:5129 https://access.redhat.com/errata/RHSA-2021:5129
Comment 29 errata-xmlrpc 2021-12-14 18:10:52 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.1

Via RHSA-2021:5128 https://access.redhat.com/errata/RHSA-2021:5128
Comment 30 errata-xmlrpc 2021-12-14 18:40:33 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2021:5127 https://access.redhat.com/errata/RHSA-2021:5127
Comment 31 errata-xmlrpc 2021-12-14 21:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Comment 32 Product Security DevOps Team 2021-12-14 22:33:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-37136
Comment 33 errata-xmlrpc 2022-01-13 15:33:18 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.0.0

Via RHSA-2022:0138 https://access.redhat.com/errata/RHSA-2022:0138
Comment 34 errata-xmlrpc 2022-02-14 13:08:02 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.3.0

Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520
Comment 35 errata-xmlrpc 2022-02-21 18:23:10 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
Comment 36 errata-xmlrpc 2022-03-22 15:34:29 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
Comment 40 errata-xmlrpc 2022-05-11 18:50:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Logging 5.4

Via RHSA-2022:2216 https://access.redhat.com/errata/RHSA-2022:2216
Comment 41 errata-xmlrpc 2022-05-11 19:52:00 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2022:2218 https://access.redhat.com/errata/RHSA-2022:2218
Comment 42 errata-xmlrpc 2022-05-11 20:33:21 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:2217 https://access.redhat.com/errata/RHSA-2022:2217
Comment 43 errata-xmlrpc 2022-06-06 15:11:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
Comment 44 errata-xmlrpc 2022-06-06 15:51:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918
Comment 45 errata-xmlrpc 2022-06-06 15:58:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919
Comment 46 errata-xmlrpc 2022-08-04 04:47:15 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
Comment 47 errata-xmlrpc 2022-10-06 12:26:34 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
Comment 48 errata-xmlrpc 2022-11-16 13:32:03 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506
Comment 49 errata-xmlrpc 2023-05-18 09:54:07 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.4.0

Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223
Comment 50 errata-xmlrpc 2023-09-14 09:52:00 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.0

Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165