CVE-2024-47535

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.115

Description The issue is related to an unsafe reading of environment files, potentially causing a denial of service in Netty. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes. The vulnerability is related to the normalizeOs() function in the PlatformDependent.java file, which does not verify the OS before reading C:etcos-release and C:usrlibos-release. An attacker can exploit this by creating a file larger than 1 GB in these locations, causing the Netty application to exceed the JVM memory limit and crash.

Recommendations For Netty versions prior to 4.1.115, update to version 4.1.115 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the C:etcos-release and C:usrlibos-release files to prevent an attacker from creating a large file in these locations. Additionally, monitor the JVM memory usage to detect potential crashes caused by this issue.