Bug 2272907 (CVE-2024-29025)
| Summary: | CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abrianik, adupliak, aileenc, anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bihu, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmah, cmiranda, cmoulliard, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, dsimansk, eaguilar, ebaron, ecerquei, eric.wittmann, fjansen, fjuma, fmariani, fmongiar, ggastald, ggrzybek, gmalinko, gsmet, ibek, ikanello, istudens, ivassile, iweiss, janstey, jcantril, jkang, jmartisk, jnethert, jolong, jpallich, jpechane, jpoth, jrokos, jross, jsamir, jscholz, kaycoth, kingland, kverlaen, lgao, lthon, manderse, matzew, max.andersen, mnovotny, mosmerov, mposolda, msochure, mstefank, msvehla, mulliken, nipatil, nwallace, olubyans, pantinor, parichar, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pierdipi, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rjohnson, rkieley, rkubis, rojacob, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, sfroberg, smaestri, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, tom.jenkinson, tqvarnst, vkrizan, vmuzikar, wfink, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | io.netty.netty-codec-http 4.1.108.Final | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2272909 | ||
|
Description
Avinash Hanwate
2024-04-03 08:39:26 UTC
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088 This issue has been addressed in the following products: Red Hat build of Quarkus 3.8.4 Via RHSA-2024:2106 https://access.redhat.com/errata/RHSA-2024:2106 This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.12 Via RHSA-2024:2705 https://access.redhat.com/errata/RHSA-2024:2705 This issue has been addressed in the following products: RHINT Service Registry 2.5.11 GA Via RHSA-2024:2833 https://access.redhat.com/errata/RHSA-2024:2833 This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2024:2945 https://access.redhat.com/errata/RHSA-2024:2945 This issue has been addressed in the following products: Red Hat AMQ Streams 2.7.0 Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527 This issue has been addressed in the following products: HawtIO 4.0.0 for Red Hat build of Apache Camel 4 Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550 This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028 This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2024:4460 https://access.redhat.com/errata/RHSA-2024:4460 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:5145 https://access.redhat.com/errata/RHSA-2024:5145 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:5143 https://access.redhat.com/errata/RHSA-2024:5143 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:5144 https://access.redhat.com/errata/RHSA-2024:5144 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5147 https://access.redhat.com/errata/RHSA-2024:5147 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5482 https://access.redhat.com/errata/RHSA-2024:5482 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Via RHSA-2024:5479 https://access.redhat.com/errata/RHSA-2024:5479 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2024:5481 https://access.redhat.com/errata/RHSA-2024:5481 This issue has been addressed in the following products: Streams for Apache Kafka 2.8.0 Via RHSA-2024:9571 https://access.redhat.com/errata/RHSA-2024:9571 This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.2 Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536 |