PT-2021-7976 · Netty+5 · Netty+5

Published

2021-09-09

Updated

2024-10-30

CVE-2021-37137

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.67.Final

Description The Snappy frame decoder function does not restrict the chunk length, which may lead to excessive memory usage. Additionally, it may buffer reserved skippable chunks until the whole chunk is received, resulting in excessive memory usage. This issue can be triggered by supplying malicious input that decompresses to a very big size or by sending a huge skippable chunk. All users of SnappyFrameDecoder are affected, putting the application at risk for a denial-of-service attack due to excessive memory usage.

Recommendations For Netty versions prior to 4.1.67.Final, update to version 4.1.67.Final or later to resolve the issue. As a temporary workaround, consider restricting the input size to prevent excessive memory usage. Additionally, monitor the application's memory usage to detect potential denial-of-service attacks.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BDU:2023-08650

CVE-2021-37137

DLA-3268-1

DSA-5316-1

GHSA-9VJP-V76F-G363

OESA-2021-1423

OPENSUSE-SU-2022_1271-1

OPENSUSE-SU-2024:14442-1

RHSA-2022:4918

RHSA-2022:4919

RHSA-2022:8506

RHSA-2025:9582

RHSA-2025:9583

RLSA-2022:8506

SUSE-SU-2022:1271-1

SUSE-SU-2022:3617-1

SUSE-SU-2022:3760-1

SUSE-SU-2022:3793-1

USN-6049-1

Affected Products

Astra Linux

Linuxmint

Netty

Rocky Linux

Suse

Ubuntu

PT-2021-7976 · Netty+5 · Netty+5

CVE-2021-37137

Weakness Enumeration

Related Identifiers

Affected Products

References · 364