Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final. https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088
This issue has been addressed in the following products: Red Hat build of Quarkus 3.8.4 Via RHSA-2024:2106 https://access.redhat.com/errata/RHSA-2024:2106
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.12 Via RHSA-2024:2705 https://access.redhat.com/errata/RHSA-2024:2705
This issue has been addressed in the following products: RHINT Service Registry 2.5.11 GA Via RHSA-2024:2833 https://access.redhat.com/errata/RHSA-2024:2833
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2024:2945 https://access.redhat.com/errata/RHSA-2024:2945
This issue has been addressed in the following products: Red Hat AMQ Streams 2.7.0 Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
This issue has been addressed in the following products: HawtIO 4.0.0 for Red Hat build of Apache Camel 4 Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550
This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028
This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2024:4460 https://access.redhat.com/errata/RHSA-2024:4460
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:5145 https://access.redhat.com/errata/RHSA-2024:5145
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:5143 https://access.redhat.com/errata/RHSA-2024:5143
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:5144 https://access.redhat.com/errata/RHSA-2024:5144
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5147 https://access.redhat.com/errata/RHSA-2024:5147
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5482 https://access.redhat.com/errata/RHSA-2024:5482
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Via RHSA-2024:5479 https://access.redhat.com/errata/RHSA-2024:5479
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2024:5481 https://access.redhat.com/errata/RHSA-2024:5481
This issue has been addressed in the following products: Streams for Apache Kafka 2.8.0 Via RHSA-2024:9571 https://access.redhat.com/errata/RHSA-2024:9571
This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.2 Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536