Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2021-37136

Disclosure Date: October 19, 2021
CVE-2021-37136 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Bzip2 decompression decoder function doesn’t allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Netty 4.1.68Final
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • netapp,
  • netty,
  • oracle,
  • quarkus

Products

  • banking apis,
  • banking apis 19.1,
  • banking apis 19.2,
  • banking apis 20.1,
  • banking apis 21.1,
  • banking digital experience 18.1,
  • banking digital experience 18.2,
  • banking digital experience 18.3,
  • banking digital experience 19.1,
  • banking digital experience 19.2,
  • banking digital experience 20.1,
  • banking digital experience 21.1,
  • coherence 12.2.1.4.0,
  • coherence 14.1.1.0.0,
  • commerce guided search 11.3.2,
  • communications brm - elastic charging engine,
  • communications brm - elastic charging engine 12,
  • communications cloud native core binding support function 1.10.0,
  • communications cloud native core binding support function 1.11.0,
  • communications cloud native core network slice selection function 1.8.0,
  • communications cloud native core policy 1.15.0,
  • communications cloud native core security edge protection proxy 1.7.0,
  • communications cloud native core unified data repository 1.15.0,
  • communications diameter signaling router,
  • communications instant messaging server 8.1,
  • debian linux 10.0,
  • debian linux 11.0,
  • helidon 1.4.10,
  • helidon 2.4.0,
  • netty,
  • oncommand insight -,
  • peoplesoft enterprise peopletools 8.48,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise peopletools 8.58,
  • peoplesoft enterprise peopletools 8.59,
  • quarkus,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0

References

Canonical
CVE-2021-37136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37136)
Advisory
[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations (https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E)
[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E)
[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E)
[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E)
[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E)
[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E)
https://security.netapp.com/advisory/ntap-20220210-0012/
[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update (https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html)
DSA-5316 (https://www.debian.org/security/2023/dsa-5316)
Miscellaneous
https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis