Bug 2004133 (CVE-2021-37136)
Summary: | CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, caswilli, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, ehelms, eparis, eric.wittmann, etirelli, ewolinet, fjuma, ggaughan, gmalinko, gsmet, gvarsami, hamadhan, hbraun, ibek, iweiss, janstey, jburrell, jcantril, jcoleman, jjoyce, jnethert, jochrist, jokerman, jolee, jpallich, jrokos, jross, jschatte, jschluet, jsherril, jstastny, jwon, kaycoth, krathod, kverlaen, ldimaggi, lgao, lhh, lpeer, lthon, lzap, mburns, mhulan, mkolesni, mmccune, mnovotny, mosmerov, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rrajasek, rruss, rstancel, rsvoboda, rwagner, sbiarozk, sclewis, scohen, sd-operator-metering, sdouglas, sguilhen, slinaber, smaestri, sponnaga, sthorger, swoodman, tcunning, tkirby, tom.jenkinson, tzimanyi, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | netty-codec-4.1.68.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-14 22:34:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2006304, 2012255 | ||
Bug Blocks: | 2004097 |
Description
Guilherme de Almeida Suckevicz
2021-09-14 14:39:08 UTC
Marking Red Hat AMQ Broker 7 as having a low impact, this is because although a vulnerable version of netty is used it does not use Bzip2 compression/decompression. Marking Fuse 6 as OOSS and adjusting Fuse 7 to Low Impact. Netty-codec vulnerable version is present but no use of Bzip2 compression/decompression. Marking c.r.c|Insights|MAS affected/ooss. Vulnerable code is present but appears unused. Reducing Satellite's severity to Low as flaw doesn't affect product directly in code as it does not make use of netty-codec's Bzip2Decoder. Marking Red Hat AMQ Streams, Red Hat Integration Camel K, Red Hat Integration Camel Quarkus as having a low impact, this is because a vulnerable version of netty is distributed in these products and used but the vulnerable Bzip2 decoder is not used. Marking Red Hat Service Registry 1 & 2 as having a low impact, this is because a vulnerable version of netty is distributed in these products and used but the vulnerable Bzip2 decoder is not used. Marking Quarkus as a low impact, this is because a vulnerable version of netty is distributed in these products and used but the vulnerable Bzip2 decoder is not used. This issue has been addressed in the following products: Vert.x 4.1.5 Via RHSA-2021:3959 https://access.redhat.com/errata/RHSA-2021:3959 This issue has been addressed in the following products: Red Hat AMQ 7.9.1 Via RHSA-2021:4851 https://access.redhat.com/errata/RHSA-2021:4851 This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2021:5129 https://access.redhat.com/errata/RHSA-2021:5129 This issue has been addressed in the following products: OpenShift Logging 5.1 Via RHSA-2021:5128 https://access.redhat.com/errata/RHSA-2021:5128 This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2021:5127 https://access.redhat.com/errata/RHSA-2021:5127 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-37136 This issue has been addressed in the following products: Red Hat AMQ Streams 2.0.0 Via RHSA-2022:0138 https://access.redhat.com/errata/RHSA-2022:0138 This issue has been addressed in the following products: Red Hat Data Grid 8.3.0 Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520 This issue has been addressed in the following products: Red Hat build of Quarkus 2.2.5 Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589 This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013 This issue has been addressed in the following products: Red Hat OpenShift Logging 5.4 Via RHSA-2022:2216 https://access.redhat.com/errata/RHSA-2022:2216 This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2022:2218 https://access.redhat.com/errata/RHSA-2022:2218 This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2022:2217 https://access.redhat.com/errata/RHSA-2022:2217 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919 This issue has been addressed in the following products: RHPAM 7.13.0 async Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903 This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835 This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506 This issue has been addressed in the following products: Red Hat AMQ Streams 2.4.0 Via RHSA-2023:3223 https://access.redhat.com/errata/RHSA-2023:3223 This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.0 Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165 |