CVE-2021-37136
First published: Thu Sep 09 2021(Updated: )
### Impact The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack ### Workarounds No workarounds other than not using the `Bzip2Decoder` ### References Relevant code areas: https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
Credit: reefs@jfrog.com reefs@jfrog.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.netty:netty | <4.0.0 | |
| maven/org.jboss.netty:netty | <4.0.0 | |
| maven/io.netty:netty-codec | <4.1.68.Final | 4.1.68.Final |
| Netty Netty | <4.1.68 | |
| Quarkus Quarkus | <2.2.4 | |
| Oracle Banking Apis | >=18.1<=18.3 | |
| Oracle Banking Apis | =19.1 | |
| Oracle Banking Apis | =19.2 | |
| Oracle Banking Apis | =20.1 | |
| Oracle Banking Apis | =21.1 | |
| Oracle Banking Digital Experience | =18.1 | |
| Oracle Banking Digital Experience | =18.2 | |
| Oracle Banking Digital Experience | =18.3 | |
| Oracle Banking Digital Experience | =19.1 | |
| Oracle Banking Digital Experience | =19.2 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| Oracle Coherence | =12.2.1.4.0 | |
| Oracle Coherence | =14.1.1.0.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Brm - Elastic Charging Engine | <12.0.0.4.6 | |
| Oracle Communications Brm - Elastic Charging Engine | =12-0.0.5.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.10.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.11.0 | |
| Oracle Communications Cloud Native Core Network Slice Selection Function | =1.8.0 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| VMware Spring Cloud Gateway | =1.7.0 | |
| Oracle Communications Cloud Native Core Unified Data Repository | =1.15.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.0.2 | |
| Oracle Communications Instant Messaging Server | =8.1 | |
| Oracle Helidon | =1.4.10 | |
| Oracle Helidon | =2.4.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.48 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| NetApp OnCommand Insight | ||
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| redhat/eap7-netty | <0:4.1.72-4.Final_redhat_00001.1.el8ea | 0:4.1.72-4.Final_redhat_00001.1.el8ea |
| redhat/eap7-netty | <0:4.1.72-4.Final_redhat_00001.1.el7ea | 0:4.1.72-4.Final_redhat_00001.1.el7ea |
| redhat/candlepin | <0:4.1.15-1.el8 | 0:4.1.15-1.el8 |
| debian/netty | <=1:4.1.33-1+deb10u2 | 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u1 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
| ubuntu/netty | <1:4.1.45-1ubuntu0.1~ | 1:4.1.45-1ubuntu0.1~ |
| ubuntu/netty | <1:4.1.48-4+ | 1:4.1.48-4+ |
| ubuntu/netty | <1:4.1.48-5ubuntu0.1 | 1:4.1.48-5ubuntu0.1 |
| ubuntu/netty | <1:4.0.34-1ubuntu0.1~ | 1:4.0.34-1ubuntu0.1~ |
| ubuntu/netty | <1:4.1.7-4ubuntu0.1+ | 1:4.1.7-4ubuntu0.1+ |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-37136
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
- https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020
- https://security-tracker.debian.org/tracker/CVE-2021-37137
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
- https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37136
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37137
- https://security-tracker.debian.org/tracker/CVE-2021-43797
- https://security-tracker.debian.org/tracker/CVE-2022-41881
- https://security-tracker.debian.org/tracker/CVE-2022-41915
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014769
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
- https://nvd.nist.gov/vuln/detail/CVE-2021-37136
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220210-0012/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://www.debian.org/security/2023/dsa-5316
- https://github.com/advisories/GHSA-grg4-wf29-r9vv (Advisory)
- https://launchpad.net/bugs/cve/CVE-2021-37136
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
- https://access.redhat.com/errata/RHSA-2021:3959
- https://access.redhat.com/errata/RHSA-2021:4851
- https://access.redhat.com/errata/RHSA-2021:5129
- https://access.redhat.com/errata/RHSA-2021:5128
- https://access.redhat.com/errata/RHSA-2021:5127
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2021-37136
- https://access.redhat.com/errata/RHSA-2022:0138
- https://access.redhat.com/errata/RHSA-2022:0520
- https://access.redhat.com/errata/RHSA-2022:0589
- https://access.redhat.com/errata/RHSA-2022:1013
- https://access.redhat.com/errata/RHSA-2022:2216
- https://access.redhat.com/errata/RHSA-2022:2218
- https://access.redhat.com/errata/RHSA-2022:2217
- https://access.redhat.com/errata/RHSA-2022:4922
- https://access.redhat.com/errata/RHSA-2022:4918
- https://access.redhat.com/errata/RHSA-2022:4919
- https://access.redhat.com/errata/RHSA-2022:5903
- https://access.redhat.com/errata/RHSA-2022:6835
- https://access.redhat.com/errata/RHSA-2022:8506
- https://access.redhat.com/errata/RHSA-2023:3223
- https://access.redhat.com/errata/RHSA-2023:5165
- https://bugzilla.redhat.com/show_bug.cgi?id=2004133
- https://www.cve.org/CVERecord?id=CVE-2021-37136 https://nvd.nist.gov/vuln/detail/CVE-2021-37136 https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
- https://ubuntu.com/security/notices/USN-6049-1
- https://ubuntu.com/security/CVE-2021-37136
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2022:2216
- RHSA-2021:5128
- RHSA-2021:5127
- RHSA-2022:2218
- RHSA-2021:5129
- RHSA-2022:2217
- RHSA-2021:4851
- RHSA-2022:0520
- RHSA-2022:1013
- RHSA-2022:6835
- RHSA-2022:0138
- RHSA-2023:3223
- RHSA-2023:5165
- RHSA-2022:4922
- RHSA-2022:4919
- RHSA-2022:4918
- RHSA-2021:5134
- RHSA-2022:5903
- RHSA-2022:8506
- RHSA-2021:3959
- RHSA-2022:0589
- USN-6049-1
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-37136.
What is the impact of CVE-2021-37136?
The vulnerability allows for an Out-of-Memory Error (OOME) and can be exploited for a Denial-of-Service (DoS) attack.
Which software is affected by CVE-2021-37136?
All users of Bzip2Decoder are affected.
What is the severity of CVE-2021-37136?
The severity of CVE-2021-37136 is high.
How can I fix CVE-2021-37136?
The recommended fix for CVE-2021-37136 is to update to version 4.1.68 or higher of the affected software.
- collector/github-advisory-latest
- alias/GHSA-grg4-wf29-r9vv
- alias/CVE-2021-37136
- collector/github-advisory
- collector/debian-bugs
- collector/redhat-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/softwarecombine
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- collector/redhat-bugzilla
- source/Red Hat
- agent/event
- agent/tags
- agent/description
- collector/nvd-cve
- source/NVD
- package-manager/maven
- package-manager/redhat
- vendor/netty
- canonical/netty netty
- vendor/quarkus
- canonical/quarkus quarkus
- vendor/oracle
- canonical/oracle banking apis
- version/oracle banking apis/18.1
- version/oracle banking apis/18.3
- version/oracle banking apis/19.1
- version/oracle banking apis/19.2
- version/oracle banking apis/20.1
- version/oracle banking apis/21.1
- canonical/oracle banking digital experience
- version/oracle banking digital experience/18.1
- version/oracle banking digital experience/18.2
- version/oracle banking digital experience/18.3
- version/oracle banking digital experience/19.1
- version/oracle banking digital experience/19.2
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle coherence
- version/oracle coherence/12.2.1.4.0
- version/oracle coherence/14.1.1.0.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12-0.0.5.0
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.10.0
- version/oracle communications cloud native core binding support function/1.11.0
- canonical/oracle communications cloud native core network slice selection function
- version/oracle communications cloud native core network slice selection function/1.8.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/vmware spring cloud gateway
- version/vmware spring cloud gateway/1.7.0
- canonical/oracle communications cloud native core unified data repository
- version/oracle communications cloud native core unified data repository/1.15.0
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.5.0.2
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/8.1
- canonical/oracle helidon
- version/oracle helidon/1.4.10
- version/oracle helidon/2.4.0
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.48
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- vendor/netapp
- canonical/netapp oncommand insight
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/ubuntu
- package-manager/debian