First published: Mon Dec 12 2022(Updated: )
Netty is vulnerable to a denial of service, caused by a StackOverflowError in HAProxyMessageDecoder. By sending a specially-crafted message, a remote attacker could exploit this vulnerability to cause an infinite recursion, and results in a denial of service condition.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Disconnected Log Collector | <=v1.0 - v1.8.2 | |
<4.1.86 | ||
=10.0 | ||
=11.0 | ||
Netty Netty | <4.1.86 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
redhat/eap7-netty | <0:4.1.86-1.Final_redhat_00001.1.el8ea | 0:4.1.86-1.Final_redhat_00001.1.el8ea |
redhat/eap7-netty | <0:4.1.86-1.Final_redhat_00001.1.el9ea | 0:4.1.86-1.Final_redhat_00001.1.el9ea |
redhat/eap7-netty | <0:4.1.86-1.Final_redhat_00001.1.el7ea | 0:4.1.86-1.Final_redhat_00001.1.el7ea |
redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el7 | 0:18.0.7-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el8 | 0:18.0.7-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.7-1.redhat_00001.1.el9 | 0:18.0.7-1.redhat_00001.1.el9 |
debian/netty | <=1:4.1.33-1+deb10u2 | 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u1 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
ubuntu/netty | <1:4.1.7-4ubuntu0.1+ | 1:4.1.7-4ubuntu0.1+ |
ubuntu/netty | <1:4.1.45-1ubuntu0.1~ | 1:4.1.45-1ubuntu0.1~ |
ubuntu/netty | <1:4.1.48-4+ | 1:4.1.48-4+ |
ubuntu/netty | <1:4.1.48-5ubuntu0.1 | 1:4.1.48-5ubuntu0.1 |
ubuntu/netty | <1:4.0.34-1ubuntu0.1~ | 1:4.0.34-1ubuntu0.1~ |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-41881 is a vulnerability found in Netty project versions prior to 4.1.86.Final.
CVE-2022-41881 has a severity level of high.
CVE-2022-41881 can lead to a StackOverflowError when parsing a malformed crafted message due to infinite recursion.
The remedy for CVE-2022-41881 is to update to Netty project version 4.1.86.Final.
More information about CVE-2022-41881 can be found at the following references: [1] [2] [3].