Headline
CVE-2014-0193: Netty.news: Release day!
WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
I’m happy to announce the release of Netty 4.0.19.Final, 3.9.1.Final, 3.8.2.Final, 3.7.1.Final and 3.6.9.Final. Beside providing you with various new features and bugfixes all of these releases have one in common; they fix a resource usage problem in the WebSocket08FrameDecoder.
Before we aggregated the full text in the WebSocket08FrameDecoder just to fill in the ContinuationWebSocketFrame.aggregatedText(). The problem was that there was no upper-limit and so it would be possible to see an OOME if the remote peer sends a TextWebSocketFrame + a never ending stream of ContinuationWebSocketFrames. The aggregation of WebSocketFrames can be done with the WebSocketFrameAggregator, which allows to set an upper limit. Because there was no other “sane” way to fix the problem we decided to also remove the ContinuationWebSocketFrame.aggregatedText() method, even in a bugfix release because just changing its behaviour would even be more confusing. We never saw a usage of this method in the wild so far, so we hope this will not affect many users.
So if you using the stock WebSockets codec provided by Netty you should update ASAP! Special thanks to James Roper (Typesafe) for finding the flaw and notify us in a timely manner.
For more details on the fixes for these various releases please see the following sections.
Netty 4.0.19.Final****Most important changes / fixes
- Fix a resource usage problem in the WebSocket08FrameDecoder
- Not cause busy loop when interrupt Thread of NioEventLoop
- Various fixed in the native transport
- Support for TCP_REUSEPORT in the native transport
- Add Datagram support in native transport
- Improve release of unused memory out of the buffer pool cache
Visit here for the complete list of the changes and all the details.
As always please let us know if you find any issues. We love feedback!
Netty 3.9.1.Final****Most important changes / fixes
- Fix a resource usage problem in the WebSocket08FrameDecoder
- Various SSL fixes
- SPDY improvements
Visit here for the complete list of the changes and all the details.
Netty 3.8.2.Final****Most important changes / fixes
- Fix a resource usage problem in the WebSocket08FrameDecoder
- Various SSL fixes
Visit here for the complete list of the changes and all the details.
Netty 3.7.1.Final****Most important changes / fixes
- Fix a resource usage problem in the WebSocket08FrameDecoder
- Various SSL fixes
Visit here for the complete list of the changes and all the details.
Netty 3.6.9.Final****Most important changes / fixes
- Fix a resource usage problem in the WebSocket08FrameDecoder
Visit here for the complete list of the changes and all the details.
As always please let us know if you find any issues. We love feedback!
Related news
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.