Violetagg

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.2.15.Final **Description** A memory exhaustion issue exists in the Netty HTTP/3 codec. This flaw allows for the creation of an infinite number of blocked streams, which can lead to an Out of Memory (OOM) error, resulting in a Denial of Service (DoS) condition. **Recommendations** Update to version 4.2.15.Final.

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.2.15.Final **Description** Netty QUIC exposes the stateless reset token on the network path when utilizing the default HMAC-based connection-ID and stateless-reset-token generators. Specifically, the `HmacSignQuicConnectionIdGenerator` and `HmacSignQuicResetTokenGenerator` both evaluate HMAC-SHA256 using the same JVM-wide static key `io.netty.handler.codec.quic.Hmac`. During source CID rotation in the `newSourceConnectionIds()` function, the current server source CID is used to produce the next CID. If the length of the CID is 16 bytes or more, the first 16 bytes of the new CID are identical to the stateless reset token of the previous CID. Since the CID is transmitted in QUIC headers, an on-path attacker can observe these headers to derive the reset token and perform a Denial of Service by sending a spoofed Stateless Reset packet. **Recommendations** Update to version 4.2.15.Final.

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final **Description** Netty is a network application framework for developing protocol servers and clients. The `RedisArrayAggregator` pre-allocates an `ArrayList` with an initial capacity based on the RESP array element count declared in an array header. This count is retrieved from the wire before the child messages exist, allowing a small malicious header to claim a huge initial capacity. The aggregator initiates a new aggregation level upon receiving an `ArrayHeaderRedisMessage` and executes `new ArrayList<>(length)` for positive lengths without a configurable maximum. While the `RedisDecoder` enforces `RedisConstants.REDIS MESSAGE MAX LENGTH` for bulk string lengths, it does not apply this cap to array header lengths. This allows extremely large declared array sizes to pass decoding, leading to immediate `Object[]` reservation and potential resource exhaustion. The issue involves the `decodeLength()` function in `io.netty.handler.codec.redis.RedisDecoder` and the `decodeRedisArrayHeader()` function in `io.netty.handler.codec.redis.RedisArrayAggregator`. **Recommendations** Update to version 4.1.135.Final. Update to version 4.2.15.Final.

**Name of the Vulnerable Software and Affected Versions** Netty (affected versions not specified) **Description** The default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec does not enforce a maximum header size limit. When a peer does not specify `HTTP3 SETTINGS MAX FIELD SECTION SIZE`, the implementation uses an unbounded limit. This allows a malicious actor to send an excessive number of headers, leading to memory exhaustion and a Denial of Service via an `OutOfMemoryError`. This occurs because the default behavior follows RFC 9114, which specifies an unlimited default, unlike Netty's HTTP/1.1 and HTTP/2 implementations that enforce secure limits. The unbounded limit is passed into `Http3FrameCodec#newFactory` and stored as `maxHeaderListSize` within `Http3FrameCodec`. **Recommendations** Configure the maximum header field section size via `Http3Settings` to replace the insecure default unbounded limit.

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final **Description** The DNS resolver in the `io.netty.resolver.dns` module uses a predictable Pseudo-Random Number Generator (PRNG) for generating DNS transaction IDs and defaults to a static UDP source port. Specifically, `DnsQueryIdSpace` manages transaction IDs using `java.util.concurrent.ThreadLocalRandom`, which is a predictable Linear Congruential Generator (LCG). Additionally, `DnsNameResolverBuilder` defaults to a `channelStrategy` of `ChannelPerResolver`, which binds the `DatagramChannel` once and results in a static source port for all subsequent queries. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning, also known as a Kaminsky attack, where an attacker can spoof DNS responses to redirect traffic to malicious IP addresses, potentially leading to man-in-the-middle attacks. **Recommendations** Update to version 4.1.135.Final or later. Update to version 4.2.15.Final or later.

**Name of the Vulnerable Software and Affected Versions** netty-handler versions prior to 4.1.135.Final netty-handler versions prior to 4.2.15.Final **Description** An incorrect masking operation in the `compareTo()` function of the `IpSubnetFilterRule` class allows an attacker to bypass IPv6 subnet rules. Specifically, the `io.netty.handler.ipfilter.IpSubnetFilterRule#compareTo(java.net.InetSocketAddress)` method performs a bitwise AND between the incoming IP address and the configured `networkAddress` instead of the `subnetMask`, enabling valid public IP addresses to bypass access controls. **Recommendations** Update to version 4.1.135.Final. Update to version 4.2.15.Final.

**Name of the Vulnerable Software and Affected Versions** Netty (ionetty:netty-resolver-dns) (affected versions not specified) **Description** Insufficient validation of the bailiwick of NS records in `DnsResolveContext` allows for DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains. Specifically, the `add()` function in `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList` accepts any NS record from the AUTHORITY section if the record's name is a suffix of the `questionName`. Consequently, the `handleWithAdditional()` function caches associated A records from the ADDITIONAL section into the `authoritativeDnsServerCache` under the parent domain's key, bypassing bailiwick rules—which dictate that a server authoritative for a subdomain should not be trusted for its parent. The `cache()` function in `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList` only prevents caching for the root zone. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final **Description** Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. In the `buildAliasMap()` function within `io.netty.resolver.dns.DnsResolveContext`, the resolver processes the ANSWER section of a DNS response and caches all found CNAME records without verification. This can lead to DNS Cache Poisoning (Bailiwick Bypass), where an attacker provides unauthorized DNS data for a domain they do not control. **Recommendations** Update to version 4.1.135.Final Update to version 4.2.15.Final

**Name of the Vulnerable Software and Affected Versions** netty-codec-redis versions prior to 4.1.135.Final netty-codec-redis versions prior to 4.2.15.Final **Description** A denial of service can occur when an attacker sends a crafted Redis payload containing deeply nested arrays. The `io.netty.handler.codec.redis.RedisArrayAggregator` function aggregates RedisMessage parts into ArrayRedisMessage using a `Deque<AggregateState>` to track nested arrays. Because there is no limit on the maximum depth of these arrays, a continuous stream of nested array headers forces the server to allocate a massive number of `AggregateState` instances and `ArrayList` collections. This leads to heap memory exhaustion and an OutOfMemoryError. **Recommendations** Update to version 4.1.135.Final. Update to version 4.2.15.Final.

**Name of the Vulnerable Software and Affected Versions** Netty (affected versions not specified) **Description** A Denial of Service (DoS) issue exists where an attacker can exhaust the server's direct memory pool, leading to an `OutOfDirectMemoryError` and preventing legitimate connections. This occurs because the `decodeLength` function in `io.netty.handler.codec.redis.RedisDecoder` reads bytes from the network until a ` ` character is encountered but does not enforce a maximum length check while buffering. An attacker can exploit this by opening multiple concurrent connections and sending a continuous stream of digits without the required `r ` termination specified in the RESP protocol, causing the system to buffer data indefinitely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.