netty netty CVE-2021-37137 vulnerability in Netty and Other Products
Published on October 19, 2021

product logo product logo product logo product logo product logo product logo product logo
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Github Repository Vendor Advisory NVD

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2021-37137 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2021-37137

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-37137 are published in these products:

Netty
 
Apache Tinkerpop
 
Oracle Banking Apis
 
Oracle Banking Digital Experience
 
Oracle Commerce Guided Search
 
Oracle Communications Cloud Native Core Binding Support Function
 
Oracle Communications Diameter Signaling Router
 
Oracle Peoplesoft Enterprise Peopletools
 
Quarkus
 
NetApp Oncommand Insight
 
Oracle Webcenter Portal
 
Oracle Communications Brm Elastic Charging Engine
 
Debian Linux
 
Canonical Ubuntu Linux
 
Oracle
 

Affected Versions

The Netty project Netty:

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-37137

Package Manager Vulnerable Package Versions Fixed In
maven netty-codec <= 4.1.67.Final 4.1.68.Final

Exploit Probability

EPSS
2.38%
Percentile
84.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.