Headline
GHSA-q4h9-7rxj-7gx2: Netty vulnerability included in redis lettuce
Summary
Note: i’m reporting this in this way purely because it’s private and i don’t want to broadcast vulnerabilities.
An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Details
https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently
<netty.version>4.1.113.Final</netty.version>
This version is vulnerable according to Snyk and is affecting one of our products:
Here is a link to the CVE
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability. Not applicable
Impact
What kind of vulnerability is it? Who is impacted? Denial of Service, affecting Windows users.
Summary
Note: i’m reporting this in this way purely because it’s private and i don’t want to broadcast vulnerabilities.
An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Details
https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently
<netty.version>4.1.113.Final</netty.version>
This version is vulnerable according to Snyk and is affecting one of our products:
Here is a link to the CVE
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Not applicable
Impact
What kind of vulnerability is it? Who is impacted?
Denial of Service, affecting Windows users.
References
- GHSA-xq3w-v528-46rv
- GHSA-q4h9-7rxj-7gx2
- https://nvd.nist.gov/vuln/detail/CVE-2024-47535