CVE Vulnerabilities

CVE-2022-41881

Uncontrolled Recursion

Published: Dec 12, 2022 | Modified: Mar 01, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

Name Vendor Start Version End Version
Netty Netty * 4.1.86 (excluding)
CEQ 2.13.2-1 RedHat codec-haproxy *
EAP 7.4.10 release RedHat codec-haproxy *
Migration Toolkit for Runtimes 1 on RHEL 8 RedHat mtr/mtr-web-container-rhel8:1.1-7 *
Migration Toolkit for Runtimes 1 on RHEL 8 RedHat io.netty-netty-parent *
Migration Toolkit for Runtimes 1 on RHEL 8 RedHat org.jboss.windup.plugin-windup-maven-plugin-parent *
MTA-6.2-RHEL-9 RedHat mta/mta-windup-addon-rhel9:6.2.0-11 *
Red Hat build of Eclipse Vert.x 4.3.7 RedHat codec-haproxy *
Red Hat build of Quarkus RedHat *
Red Hat Data Grid 8.4.1 RedHat codec-haproxy *
Red Hat Fuse 7.12 RedHat codec-haproxy *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 RedHat eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el9eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el7eap *
Red Hat Single Sign-On 7 RedHat codec-haproxy *
Red Hat Single Sign-On 7.6 for RHEL 7 RedHat rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso *
Red Hat Single Sign-On 7.6 for RHEL 8 RedHat rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso *
Red Hat Single Sign-On 7.6 for RHEL 9 RedHat rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso *
RHEL-8 based Middleware Containers RedHat rh-sso-7/sso76-openshift-rhel8:7.6-22 *
RHINT Camel-Springboot 3.20.1 RedHat codec-haproxy *
Netty Ubuntu bionic *
Netty Ubuntu esm-apps/bionic *
Netty Ubuntu esm-apps/focal *
Netty Ubuntu esm-apps/xenial *
Netty Ubuntu jammy *
Netty Ubuntu kinetic *
Netty Ubuntu lunar *
Netty Ubuntu mantic *
Netty Ubuntu trusty *
Netty Ubuntu trusty/esm *
Netty Ubuntu xenial *
Netty-3.9 Ubuntu bionic *
Netty-3.9 Ubuntu trusty *
Netty-3.9 Ubuntu xenial *

Potential Mitigations

References