CVE-2021-37137
Description
The Snappy frame decoder function doesnt restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
2.383
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-37137,CVE-2021-37136 are fixed in netty-codec 4.1.68 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Insight 2.3 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.57 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.2.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2 | Windows |
| Multiple vulnerabilities are affected in JBoss-netty 3.9.9 | Windows |
| Multiple vulnerabilities are affected in netty 3.9.9 | Windows |
| (RHSA-2022:8506) Satellite 6.12 Release foreman-cli-3.3.0.17-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release python39-pulp_manifest-3.0.0-3.el8pc.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-apipie-bindings-0.5.0-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-ffi-1.12.2-2.1.el8sat.x86_64.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-ffi-debugsource-1.12.2-2.1.el8sat.x86_64.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-foreman_maintain-1.1.8-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-gssapi-1.2.0-8.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-hammer_cli-3.3.0-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-hammer_cli_foreman-3.3.0.1-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-hammer_cli_foreman_tasks-0.0.18-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-hammer_cli_foreman_webhooks-0.0.3-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release rubygem-hammer_cli_katello-1.6.0.1-1.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release satellite-cli-6.12.0-4.el8sat.noarch.rpm | Linux |
| (RHSA-2022:8506) Satellite 6.12 Release satellite-clone-3.2.0-1.el8sat.noarch.rpm | Linux |
| Vulnerabilities CVE-2021-37137,CVE-2021-37136 are fixed in netty-codec for Linux 4.1.68 | Linux |
| Multiple vulnerabilities are affected in JBoss-netty for Linux 3.9.9 | Linux |
| Multiple vulnerabilities are affected in netty for Linux 3.9.9 | Linux |
| Uncontrolled Resource Consumption Vulnerability (CVE-2021-37137) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234