Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2022-41881

Uncontrolled Recursion

Published: Dec 12, 2022 | Modified: Mar 01, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-41881
CWEhttps://cwe.mitre.org/data/definitions/674.html

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

Name Vendor Start Version End Version
Netty Netty * 4.1.86 (excluding)
CEQ 2.13.2-1 RedHat codec-haproxy *
EAP 7.4.10 release RedHat codec-haproxy *
Migration Toolkit for Runtimes 1 on RHEL 8 RedHat mtr/mtr-web-container-rhel8:1.1-7 *
Migration Toolkit for Runtimes 1 on RHEL 8 RedHat io.netty-netty-parent *
Migration Toolkit for Runtimes 1 on RHEL 8 RedHat org.jboss.windup.plugin-windup-maven-plugin-parent *
MTA-6.2-RHEL-9 RedHat mta/mta-windup-addon-rhel9:6.2.0-11 *
Red Hat build of Eclipse Vert.x 4.3.7 RedHat codec-haproxy *
Red Hat build of Quarkus RedHat *
Red Hat Data Grid 8.4.1 RedHat codec-haproxy *
Red Hat Fuse 7.12 RedHat codec-haproxy *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 RedHat eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el9eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el7eap *
Red Hat Single Sign-On 7 RedHat codec-haproxy *
Red Hat Single Sign-On 7.6 for RHEL 7 RedHat rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso *
Red Hat Single Sign-On 7.6 for RHEL 8 RedHat rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso *
Red Hat Single Sign-On 7.6 for RHEL 9 RedHat rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso *
RHEL-8 based Middleware Containers RedHat rh-sso-7/sso76-openshift-rhel8:7.6-22 *
RHINT Camel-Springboot 3.20.1 RedHat codec-haproxy *
Netty Ubuntu bionic *
Netty Ubuntu esm-apps/bionic *
Netty Ubuntu esm-apps/focal *
Netty Ubuntu esm-apps/xenial *
Netty Ubuntu jammy *
Netty Ubuntu kinetic *
Netty Ubuntu lunar *
Netty Ubuntu mantic *
Netty Ubuntu trusty *
Netty Ubuntu xenial *
Netty-3.9 Ubuntu bionic *
Netty-3.9 Ubuntu trusty *
Netty-3.9 Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use