2272907 – (CVE-2024-29025) CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling

Bug 2272907 (CVE-2024-29025) - CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling

Summary: CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Th...

Keywords:
Status:	NEW
Alias:	CVE-2024-29025
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2272909
TreeView+	depends on / blocked

Reported:	2024-04-03 08:39 UTC by Avinash Hanwate
Modified:	2024-04-30 23:00 UTC (History)
CC List:	112 users (show)
Fixed In Version:	io.netty.netty-codec-http 4.1.108.Final
Doc Type:	---
Doc Text:	A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing for data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2088	0	None	None	None	2024-04-29 02:27:11 UTC

Description Avinash Hanwate 2024-04-03 08:39:26 UTC

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v

Comment 5 errata-xmlrpc 2024-04-29 02:27:06 UTC

This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088

Note You need to log in before you can comment on or make changes to this bug.

aazores
adupliak
aileenc
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
caswilli
ccranfor
cdewolf
chazlett
chfoley
clement.escoffier
cmiranda
cmoulliard
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
dpalmer
drichtar
dsimansk
eaguilar
ebaron
ecerquei
eric.wittmann
fjansen
fjuma
fmariani
fmongiar
ggastald
gmalinko
gsmet
hamadhan
ibek
ikanello
ivassile
iweiss
janstey
jbuscemi
jcantril
jcechace
jkang
jmartisk
jnethert
jpallich
jpechane
jpoth
jrokos
jross
jsamir
jscholz
kaycoth
kingland
kverlaen
lgao
lhein
lthon
matzew
max.andersen
mnovotny
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
olubyans
pantinor
parichar
pcongius
pdelbell
pdrozd
peholase
periklis
pgallagh
pierdipi
pjindal
pmackay
porcelli
probinso
pskopek
rguimara
rhuss
rjohnson
rkieley
rowaters
rruss
rstancel
rsvoboda
saroy
sausingh
sbiarozk
sdouglas
sfroberg
skontopo
smaestri
sthirugn
sthorger
swoodman
tasato
tcunning
tom.jenkinson
tqvarnst
vkrizan
yfang