Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- io.netty / netty-codec< 4.1.133.Final – < 4.1.133.Final
- io.netty / netty-codec-compression< 4.2.13.Final – < 4.2.13.Final
- netty / netty>= 4.2.0.Alpha1, < 4.2.13.Final – >= 4.2.0.Alpha1, < 4.2.13.Final
- netty / netty< 4.1.133.Final – < 4.1.133.Final