Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Nettys DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue.
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Netty | Netty | * | 4.1.135 (excluding) |
| Netty | Netty | 4.2.0 (including) | 4.2.15 (excluding) |
| Red Hat build of Quarkus 3.27.4.SP1 | RedHat | netty-resolver-dns | * |
| Red Hat build of Quarkus 3.33.2.SP1 | RedHat | netty-resolver-dns | * |