It was found that due to a flaw in the WebSocket08FrameDecoder implementation a remote attacker can triggern a server side Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. This may, depending on the server configuration, lead to a denial of service.
Following releases are out and fix the problem: 4.0.19.Final 3.9.1.Final 3.8.2.Fianl 3.7.1.Final 3.6.9.Final
Acknowledgements: Red Hat would like to thank James Roper of Typesafe for reporting this issue.
Hi, Norman Might I ask if netty 3.2.10.Final have this security issue ? is 3.2.10.Final out of this problem? (In reply to Norman Maurer from comment #2) > Following releases are out and fix the problem: > > 4.0.19.Final > 3.9.1.Final > 3.8.2.Fianl > 3.7.1.Final > 3.6.9.Final
No it is not affected as it not ship the websockets implementation. (In reply to Ryan Zhang from comment #5) > Hi, Norman > Might I ask if netty 3.2.10.Final have this security issue ? is 3.2.10.Final > out of this problem? > (In reply to Norman Maurer from comment #2) > > Following releases are out and fix the problem: > > > > 4.0.19.Final > > 3.9.1.Final > > 3.8.2.Fianl > > 3.7.1.Final > > 3.6.9.Final
Hi Norman, Based on comment #6 could you please confirm if 3.2.6.Final was affected? I assume it wasn't (as I assume 3.2.x lacked websockets support). With kind regards, Mike
3.2.6.Final was NOT affected. (In reply to manstis from comment #7) > Hi Norman, > > Based on comment #6 could you please confirm if 3.2.6.Final was affected? > > I assume it wasn't (as I assume 3.2.x lacked websockets support). > > With kind regards, > > Mike
This issue has been addressed in following products: JBoss BRMS 6.0.2 Via RHSA-2014:0818 https://rhn.redhat.com/errata/RHSA-2014-0818.html
IssueDescription: A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service.
This issue has been addressed in following products: JBoss Operations Network 3.2.2 Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html