CVE-2021-37137
First published: Thu Sep 09 2021(Updated: )
### Impact The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. ### Impact All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage. ### References https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171 https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
Credit: reefs@jfrog.com reefs@jfrog.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-netty | <0:4.1.72-4.Final_redhat_00001.1.el8ea | 0:4.1.72-4.Final_redhat_00001.1.el8ea |
| redhat/eap7-netty | <0:4.1.72-4.Final_redhat_00001.1.el7ea | 0:4.1.72-4.Final_redhat_00001.1.el7ea |
| redhat/candlepin | <0:4.1.15-1.el8 | 0:4.1.15-1.el8 |
| maven/io.netty:netty | <4.0.0 | |
| maven/org.jboss.netty:netty | <4.0.0 | |
| maven/io.netty:netty-codec | >=4.0.0<4.1.68.Final | 4.1.68.Final |
| redhat/netty | <4.1.68. | 4.1.68. |
| ubuntu/netty | <1:4.1.45-1ubuntu0.1~ | 1:4.1.45-1ubuntu0.1~ |
| ubuntu/netty | <1:4.1.48-4+ | 1:4.1.48-4+ |
| ubuntu/netty | <1:4.1.48-5ubuntu0.1 | 1:4.1.48-5ubuntu0.1 |
| ubuntu/netty | <1:4.0.34-1ubuntu0.1~ | 1:4.0.34-1ubuntu0.1~ |
| ubuntu/netty | <1:4.1.7-4ubuntu0.1+ | 1:4.1.7-4ubuntu0.1+ |
| <4.1.68 | ||
| >=18.1<=18.3 | ||
| =19.1 | ||
| =19.2 | ||
| =20.1 | ||
| =21.1 | ||
| =18.1 | ||
| =18.2 | ||
| =18.3 | ||
| =19.1 | ||
| =19.2 | ||
| =20.1 | ||
| =21.1 | ||
| =11.3.2 | ||
| <12.0.0.4.6 | ||
| =12.0.0.5.0 | ||
| =1.10.0 | ||
| >=8.0.0.0<=8.5.0.2 | ||
| =8.57 | ||
| =8.58 | ||
| =8.59 | ||
| =12.2.1.3.0 | ||
| =12.2.1.4.0 | ||
| <2.2.4 | ||
| =10.0 | ||
| =11.0 | ||
| Netty Netty | <4.1.68 | |
| Oracle Banking Apis | >=18.1<=18.3 | |
| Oracle Banking Apis | =19.1 | |
| Oracle Banking Apis | =19.2 | |
| Oracle Banking Apis | =20.1 | |
| Oracle Banking Apis | =21.1 | |
| Oracle Banking Digital Experience | =18.1 | |
| Oracle Banking Digital Experience | =18.2 | |
| Oracle Banking Digital Experience | =18.3 | |
| Oracle Banking Digital Experience | =19.1 | |
| Oracle Banking Digital Experience | =19.2 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Brm - Elastic Charging Engine | <12.0.0.4.6 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0.0.5.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.10.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.0.2 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Quarkus Quarkus | <2.2.4 | |
| NetApp OnCommand Insight | ||
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/netty | <=1:4.1.33-1+deb10u2 | 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u1 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
- https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
- https://nvd.nist.gov/vuln/detail/CVE-2021-37137
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220210-0012/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://www.debian.org/security/2023/dsa-5316
- https://github.com/advisories/GHSA-9vjp-v76f-g363 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2021-37137
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
- https://access.redhat.com/errata/RHSA-2021:3959
- https://access.redhat.com/errata/RHSA-2021:4851
- https://access.redhat.com/errata/RHSA-2021:5129
- https://access.redhat.com/errata/RHSA-2021:5128
- https://access.redhat.com/errata/RHSA-2021:5127
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2021-37137
- https://access.redhat.com/errata/RHSA-2022:0138
- https://access.redhat.com/errata/RHSA-2022:0520
- https://access.redhat.com/errata/RHSA-2022:0589
- https://access.redhat.com/errata/RHSA-2022:1013
- https://access.redhat.com/errata/RHSA-2022:2216
- https://access.redhat.com/errata/RHSA-2022:2218
- https://access.redhat.com/errata/RHSA-2022:2217
- https://access.redhat.com/errata/RHSA-2022:4922
- https://access.redhat.com/errata/RHSA-2022:4918
- https://access.redhat.com/errata/RHSA-2022:4919
- https://access.redhat.com/errata/RHSA-2022:5903
- https://access.redhat.com/errata/RHSA-2022:6835
- https://access.redhat.com/errata/RHSA-2022:8506
- https://access.redhat.com/errata/RHSA-2023:3223
- https://access.redhat.com/errata/RHSA-2023:5165
- https://bugzilla.redhat.com/show_bug.cgi?id=2004135
- https://www.cve.org/CVERecord?id=CVE-2021-37137 https://nvd.nist.gov/vuln/detail/CVE-2021-37137 https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
- https://security-tracker.debian.org/tracker/CVE-2021-37137
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37137
- https://ubuntu.com/security/notices/USN-6049-1
- https://ubuntu.com/security/CVE-2021-37137
Parent vulnerabilities
(Appears in the following advisories)
- RHSA-2022:2216
- RHSA-2021:5128
- RHSA-2021:5127
- RHSA-2022:2218
- RHSA-2021:5129
- RHSA-2022:2217
- RHSA-2021:4851
- RHSA-2022:0520
- RHSA-2022:1013
- RHSA-2022:6835
- RHSA-2022:0138
- RHSA-2023:3223
- RHSA-2023:5165
- RHSA-2022:4922
- RHSA-2022:4919
- RHSA-2022:4918
- RHSA-2021:5134
- RHSA-2022:5903
- RHSA-2022:8506
- RHSA-2021:3959
- RHSA-2022:0589
- USN-6049-1
Frequently Asked Questions
What is CVE-2021-37137?
CVE-2021-37137 is a vulnerability in the Netty library that allows for unrestricted chunk lengths and can lead to excessive memory usage.
How does CVE-2021-37137 impact systems?
CVE-2021-37137 can result in excessive memory usage due to unrestricted chunk lengths in the Snappy frame decoder function.
What is the severity of CVE-2021-37137?
The severity of CVE-2021-37137 is high with a CVSS score of 7.
Which software versions are affected by CVE-2021-37137?
Netty versions up to 4.1.68 are affected, as well as specific versions of Red Hat EAP7-Netty, Ubuntu Netty, and Debian Netty.
How can I mitigate the vulnerability (CVE-2021-37137)?
To mitigate CVE-2021-37137, upgrade to Netty version 4.1.68 or later, and apply any relevant patches for the affected software versions.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-9vjp-v76f-g363
- alias/CVE-2021-37137
- collector/github-advisory-latest
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- package-manager/maven
- vendor/netty
- canonical/netty netty
- vendor/oracle
- canonical/oracle banking apis
- version/oracle banking apis/18.1
- version/oracle banking apis/18.3
- version/oracle banking apis/19.1
- version/oracle banking apis/19.2
- version/oracle banking apis/20.1
- version/oracle banking apis/21.1
- canonical/oracle banking digital experience
- version/oracle banking digital experience/18.1
- version/oracle banking digital experience/18.2
- version/oracle banking digital experience/18.3
- version/oracle banking digital experience/19.1
- version/oracle banking digital experience/19.2
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/12.0.0.5.0
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.10.0
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.5.0.2
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- vendor/quarkus
- canonical/quarkus quarkus
- vendor/netapp
- canonical/netapp oncommand insight
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu