CVE-2021-37136
HIGHNetty < 4.1.68 - Denial of Service via Bzip2 Decompression OOME
Title source: llmDescription
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
References (13)
Core 13
Core References
Mailing List mailing-list
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5316
Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0012/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
7.5
EPSS
0.0119
EPSS Percentile
79.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (41)
debian/debian_linux
10.0
debian/debian_linux
11.0
io.netty/netty
0Maven
io.netty/netty-codec
0 - 4.1.68.FinalMaven
netapp/oncommand_insight
netty/netty
< 4.1.68
oracle/banking_apis
19.1
oracle/banking_apis
19.2
oracle/banking_apis
20.1
oracle/banking_apis
21.1
... and 31 more
Published
Oct 19, 2021
Tracked Since
Feb 18, 2026