Netty: Denial of Service via Unsafe Environment File Reading
CVE-2024-47535 Published on November 12, 2024

Denial of Service attack on windows app using Netty
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Github Repository Github Repository NVD

Vulnerability Analysis

CVE-2024-47535 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-47535. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2024-47535 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2024-47535

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-47535 are published in these products:

Netty
 
Oracle
 
Red Hat Kafka
 

Affected Versions

netty: netty:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-47535

Package Manager Vulnerable Package Versions Fixed In
maven io.netty:netty-common <= 4.1.114 4.1.115
maven io.lettuce:lettuce-core < 6.5.1.RELEASE 6.5.1.RELEASE

Exploit Probability

EPSS
0.20%
Percentile
41.84%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.