Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Weakness
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Netty | Netty | * | 4.1.125 (excluding) |
| Netty | Netty | 4.2.0 (including) | 4.2.5 (excluding) |
| Red Hat build of Quarkus 3.15.7 | RedHat | netty-codec | * |
| Red Hat build of Quarkus 3.20.3 | RedHat | netty-codec | * |
| Streams for Apache Kafka 2.9.3 | RedHat | * | |
| Streams for Apache Kafka 3.1.0 | RedHat | netty-codec | * |
| Netty | Ubuntu | esm-apps/bionic | * |
| Netty | Ubuntu | esm-apps/focal | * |
| Netty | Ubuntu | esm-apps/jammy | * |
| Netty | Ubuntu | esm-apps/noble | * |
| Netty | Ubuntu | esm-apps/xenial | * |
| Netty | Ubuntu | esm-infra-legacy/trusty | * |
| Netty | Ubuntu | jammy | * |
| Netty | Ubuntu | noble | * |
| Netty | Ubuntu | plucky | * |
| Netty | Ubuntu | questing | * |
| Netty | Ubuntu | upstream | * |