Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf handed to an anonymous ChannelInboundHandlerAdapter tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
The product does not properly control the allocation and maintenance of a limited resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Netty | Netty | * | 4.1.135 (excluding) |
| Netty | Netty | 4.2.0 (including) | 4.2.15 (excluding) |
| Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1 | RedHat | netty-codec-http2 | * |
| Red Hat build of Quarkus 3.27.4.SP1 | RedHat | netty-codec-http2 | * |
| Red Hat build of Quarkus 3.33.2.SP1 | RedHat | netty-codec-http2 | * |
| Streams for Apache Kafka 2.9.4 | RedHat | netty-codec-http2 | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.