CVE-2021-37137
Summary
| CVE | CVE-2021-37137 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-10-19 15:15:00 UTC |
|---|
| Updated | 2023-11-07 03:36:00 UTC |
|---|
| Description | The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [SECURITY] [DLA 3268-1] netty security update |
MLIST |
lists.debian.org |
|
| [druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 |
|
lists.apache.org |
|
| [druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 |
|
lists.apache.org |
|
| Oracle Critical Patch Update Advisory - April 2022 |
MISC |
www.oracle.com |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Debian -- Security Information -- DSA-5316-1 netty |
DEBIAN |
www.debian.org |
|
| [druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 |
|
lists.apache.org |
|
| [druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Oracle Critical Patch Update Advisory - January 2022 |
MISC |
www.oracle.com |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| [tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations |
|
lists.apache.org |
|
| February 2022 Apache Netty Vulnerabilities in NetApp Products | NetApp Product Security |
CONFIRM |
security.netapp.com |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| [druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 |
|
lists.apache.org |
|
| Pony Mail! |
MLIST |
lists.apache.org |
|
| SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way · Advisory · netty/netty · GitHub |
MISC |
github.com |
|
| Oracle Critical Patch Update Advisory - July 2022 |
N/A |
www.oracle.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 181469 Debian Security Update for netty (DLA 3268-1)
- 181471 Debian Security Update for netty (DSA 5316-1)
- 181980 Debian Security Update for netty (CVE-2021-37137)
- 199574 Ubuntu Security Notification for Netty Vulnerabilities (USN-6049-1)
- 240458 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 7 (RHSA-2022:4918)
- 240459 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 8 (RHSA-2022:4919)
- 240925 Red Hat Update for Satellite 6.12 (RHSA-2022:8506)
- 376257 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2022)
- 376549 Oracle Coherence April 2022 Critical Patch Update (CPUAPR2022)
- 960485 Rocky Linux Security Update for Satellite (RLSA-2022:8506)
- 980257 Java (maven) Security Update for io.netty:netty-codec (GHSA-9vjp-v76f-g363)
