What is the severity of CVE-2024-29025?

CVE-2024-29025 has a moderate severity rating due to its potential for denial of service through excessive data accumulation.

How do I fix CVE-2024-29025?

To address CVE-2024-29025, upgrade to version 4.1.108.Final of the io.netty:netty-codec-http package.

What are the affected software versions for CVE-2024-29025?

CVE-2024-29025 affects versions prior to 4.1.108.Final of io.netty:netty-codec-http as well as specific versions of IBM Cognos Analytics.

What types of attacks are associated with CVE-2024-29025?

CVE-2024-29025 can be exploited through denial of service attacks that leverage unlimited form field accumulations.

Is there a patch available for CVE-2024-29025?

Yes, patches are available for affected versions of IBM Cognos Analytics and recommended upgrades for io.netty:netty-codec-http.

Vulnerability/
CVE-2024-29025

medium

5.3

CWE

770

EPSS

0.045%

25/3/2024

27/1/2025

CVE-2024-29025: Netty HttpPostRequestDecoder can OOM

First published: Mon Mar 25 2024(Updated: )

### Summary The `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors ### Details 1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. 2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits ### PoC Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 ### Impact Any Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
maven/io.netty:netty-codec-http	<4.1.108.Final	4.1.108.Final
redhat/io.netty.netty-codec-http	<4.1.108.	4.1.108.
IBM Cognos Analytics	<=12.0.0-12.0.3
IBM Cognos Analytics	<=11.2.0-11.2.4 FP4

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7177223

Frequently Asked Questions

What is the severity of CVE-2024-29025?
CVE-2024-29025 has a moderate severity rating due to its potential for denial of service through excessive data accumulation.
How do I fix CVE-2024-29025?
To address CVE-2024-29025, upgrade to version 4.1.108.Final of the io.netty:netty-codec-http package.
What are the affected software versions for CVE-2024-29025?
CVE-2024-29025 affects versions prior to 4.1.108.Final of io.netty:netty-codec-http as well as specific versions of IBM Cognos Analytics.
What types of attacks are associated with CVE-2024-29025?
CVE-2024-29025 can be exploited through denial of service attacks that leverage unlimited form field accumulations.
Is there a patch available for CVE-2024-29025?
Yes, patches are available for affected versions of IBM Cognos Analytics and recommended upgrades for io.netty:netty-codec-http.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/author
collector/epss-latest
source/FIRST
agent/epss
agent/severity
agent/description
collector/nvd-api
source/NVD
collector/github-advisory-latest
source/GitHub
alias/GHSA-5jpm-x58v-624v
alias/CVE-2024-29025
agent/software-canonical-lookup
collector/nvd-cve
collector/github-advisory
collector/mitre-cve
source/MITRE
agent/references
agent/softwarecombine
agent/trending
agent/source
agent/last-modified-date
agent/tags
agent/event
collector/redhat-bugzilla
source/Red Hat
collector/ibm-support
source/IBM
agent/software-canonical-lookup-request
package-manager/maven
package-manager/redhat
vendor/ibm
canonical/ibm cognos analytics
version/ibm cognos analytics/12.0.0-12.0.3
version/ibm cognos analytics/11.2.0-11.2.4 fp4