Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-11612: Compression/Decompression Codecs should enforce memory allocation size limits · Issue #6168 · netty/netty

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

CVE
#java#rce

Expected behavior

To protect against OOME the compression and decompression codecs should explicitly limit the amount of data they compress and decompress. We may be vulnerable to OOME from large or malicious input.

Actual behavior

In light of #5997 most of the compression/decompression codecs don’t enforce limits on buffer allocation sizes.

Steps to reproduce

N/A

Minimal yet complete reproducer code (or URL to code)

N/A

Netty version

4.1.7-SNAPSHOT

JVM version (e.g. java -version)

N/A

OS version (e.g. uname -a)

N/A

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907