CVE Vulnerabilities

CVE-2021-37137

Uncontrolled Resource Consumption

Published: Oct 19, 2021 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

The Snappy frame decoder function doesnt restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Name Vendor Start Version End Version
Netty Netty * 4.1.68 (excluding)
Logging subsystem for Red Hat OpenShift 5.4 RedHat openshift-logging/elasticsearch6-rhel8:v6.8.1-156 *
Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update RedHat netty-all *
OpenShift Logging 5.1 RedHat openshift-logging/elasticsearch6-rhel8:v6.8.1-67 *
OpenShift Logging 5.2 RedHat openshift-logging/elasticsearch6-rhel8:v6.8.1-66 *
OpenShift Logging 5.2 RedHat openshift-logging/elasticsearch6-rhel8:v6.8.1-157 *
OpenShift Logging 5.3 RedHat openshift-logging/elasticsearch6-rhel8:v6.8.1-65 *
OpenShift Logging 5.3 RedHat openshift-logging/elasticsearch6-rhel8:v6.8.1-159 *
Red Hat AMQ 7.9.1 RedHat netty-codec *
Red Hat AMQ Streams 2.0.0 RedHat netty-codec *
Red Hat AMQ Streams 2.4.0 RedHat *
Red Hat AMQ Streams 2.5.0 RedHat *
Red Hat build of Quarkus 2.2.5 RedHat netty-codec *
Red Hat Data Grid 8.3.0 RedHat netty-codec *
Red Hat Fuse 7.10 RedHat netty-codec *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 RedHat eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7 *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jackson-annotations-0:2.10.4-3.redhat_00006.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jackson-core-0:2.10.4-3.redhat_00006.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jackson-databind-0:2.10.4-5.redhat_00006.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jackson-jaxrs-providers-0:2.10.4-3.redhat_00006.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jackson-modules-base-0:2.10.4-5.redhat_00006.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jackson-modules-java8-0:2.10.4-2.redhat_00006.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-jboss-server-migration-0:1.7.2-16.Final_redhat_00017.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-netty-0:4.1.63-5.Final_redhat_00003.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-undertow-0:2.0.41-4.SP5_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-wildfly-0:7.3.14-3.GA_redhat_00002.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 RedHat eap7-wildfly-elytron-0:1.10.17-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-netty-0:4.1.72-4.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-netty-0:4.1.72-4.Final_redhat_00001.1.el7eap *
Red Hat Satellite 6.12 for RHEL 8 RedHat candlepin-0:4.1.15-1.el8sat *
RHINT Camel-Q 2.2.1 RedHat netty-codec *
RHINT Service Registry 2.3.0 GA RedHat netty-codec *
RHPAM 7.13.0 async RedHat netty-codec *
Vert.x 4.1.5 RedHat netty-codec *
Netty Ubuntu bionic *
Netty Ubuntu devel *
Netty Ubuntu esm-apps/bionic *
Netty Ubuntu esm-apps/focal *
Netty Ubuntu esm-apps/jammy *
Netty Ubuntu esm-apps/noble *
Netty Ubuntu esm-apps/xenial *
Netty Ubuntu focal *
Netty Ubuntu hirsute *
Netty Ubuntu impish *
Netty Ubuntu jammy *
Netty Ubuntu kinetic *
Netty Ubuntu lunar *
Netty Ubuntu mantic *
Netty Ubuntu noble *
Netty Ubuntu oracular *
Netty Ubuntu plucky *
Netty Ubuntu trusty *
Netty Ubuntu trusty/esm *
Netty Ubuntu upstream *
Netty Ubuntu xenial *

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References