{ "threat_severity" : "Moderate", "public_date" : "2021-09-09T00:00:00Z", "bugzilla" : { "description" : "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", "id" : "2004135", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2004135" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", "A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service." ], "statement" : "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "affected_release" : [ { "product_name" : "Logging subsystem for Red Hat OpenShift 5.4", "release_date" : "2022-05-11T00:00:00Z", "advisory" : "RHSA-2022:2216", "cpe" : "cpe:/a:redhat:logging:5.4::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-156" }, { "product_name" : "OpenShift Logging 5.1", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5128", "cpe" : "cpe:/a:redhat:logging:5.1::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-67" }, { "product_name" : "OpenShift Logging 5.2", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5127", "cpe" : "cpe:/a:redhat:logging:5.2::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-66" }, { "product_name" : "OpenShift Logging 5.2", "release_date" : "2022-05-11T00:00:00Z", "advisory" : "RHSA-2022:2218", "cpe" : "cpe:/a:redhat:logging:5.2::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-157" }, { "product_name" : "OpenShift Logging 5.3", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5129", "cpe" : "cpe:/a:redhat:logging:5.3::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-65" }, { "product_name" : "OpenShift Logging 5.3", "release_date" : "2022-05-11T00:00:00Z", "advisory" : "RHSA-2022:2217", "cpe" : "cpe:/a:redhat:logging:5.3::el8", "package" : "openshift-logging/elasticsearch6-rhel8:v6.8.1-159" }, { "product_name" : "Red Hat AMQ 7.9.1", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4851", "cpe" : "cpe:/a:redhat:amq_broker:7", "package" : "netty-codec", "impact" : "low" }, { "product_name" : "Red Hat AMQ Streams 2.0.0", "release_date" : "2022-01-13T00:00:00Z", "advisory" : "RHSA-2022:0138", "cpe" : "cpe:/a:redhat:amq_streams:2", "package" : "netty-codec", "impact" : "low" }, { "product_name" : "Red Hat AMQ Streams 2.4.0", "release_date" : "2023-05-18T00:00:00Z", "advisory" : "RHSA-2023:3223", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat AMQ Streams 2.5.0", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5165", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat build of Quarkus 2.2.5", "release_date" : "2022-02-21T00:00:00Z", "advisory" : "RHSA-2022:0589", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "netty-codec" }, { "product_name" : "Red Hat Data Grid 8.3.0", "release_date" : "2022-02-14T00:00:00Z", "advisory" : "RHSA-2022:0520", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "netty-codec" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "netty-codec", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2022-06-06T00:00:00Z", "advisory" : "RHSA-2022:4922", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "netty-all" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9582", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-annotations-0:2.10.4-3.redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-core-0:2.10.4-3.redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-databind-0:2.10.4-5.redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-jaxrs-providers-0:2.10.4-3.redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-base-0:2.10.4-5.redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jboss-server-migration-0:1.7.2-16.Final_redhat_00017.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-netty-0:4.1.63-5.Final_redhat_00003.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-undertow-0:2.0.41-4.SP5_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.14-3.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-06-25T00:00:00Z", "advisory" : "RHSA-2025:9583", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-elytron-0:1.10.17-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2022-06-06T00:00:00Z", "advisory" : "RHSA-2022:4919", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-netty-0:4.1.72-4.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2022-06-06T00:00:00Z", "advisory" : "RHSA-2022:4918", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-netty-0:4.1.72-4.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat Satellite 6.12 for RHEL 8", "release_date" : "2022-11-16T00:00:00Z", "advisory" : "RHSA-2022:8506", "cpe" : "cpe:/a:redhat:satellite:6.12::el8", "package" : "candlepin-0:4.1.15-1.el8sat", "impact" : "low" }, { "product_name" : "RHINT Camel-Q 2.2.1", "release_date" : "2022-03-22T00:00:00Z", "advisory" : "RHSA-2022:1013", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2.1" }, { "product_name" : "RHINT Service Registry 2.3.0 GA", "release_date" : "2022-10-06T00:00:00Z", "advisory" : "RHSA-2022:6835", "cpe" : "cpe:/a:redhat:service_registry:2.3", "package" : "netty-codec", "impact" : "low" }, { "product_name" : "RHPAM 7.13.0 async", "release_date" : "2022-08-04T00:00:00Z", "advisory" : "RHSA-2022:5903", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "netty-codec" }, { "product_name" : "Vert.x 4.1.5", "release_date" : "2021-11-10T00:00:00Z", "advisory" : "RHSA-2021:3959", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "netty-codec" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Affected", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Affected", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Affected", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "low" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "low" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Not affected", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "low" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Out of support scope", "package_name" : "openshift4/ose-logging-elasticsearch6", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "netty-codec", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-37137\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37137\nhttps://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" ], "name" : "CVE-2021-37137", "csaw" : false }