CVE-2021-37137
HIGHNetty < 4.1.68 - Uncontrolled Resource Consumption via Snappy Frame Decoder
Title source: llmDescription
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
References (13)
Core 13
Core References
Mailing List mailing-list
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5316
Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0012/
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
7.5
EPSS
0.0238
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (30)
debian/debian_linux
10.0
debian/debian_linux
11.0
io.netty/netty
0Maven
io.netty/netty-codec
4.0.0 - 4.1.68.FinalMaven
netapp/oncommand_insight
netty/netty
< 4.1.68
oracle/banking_apis
19.1
oracle/banking_apis
19.2
oracle/banking_apis
20.1
oracle/banking_apis
21.1
... and 20 more
Published
Oct 19, 2021
Tracked Since
Feb 18, 2026