[
https://issues.apache.org/jira/browse/ZOOKEEPER-4413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Ma updated ZOOKEEPER-4413:
---------------------------------
Summary: Security Issue Related to netty-codec 4.1.59.Final (was: Security
Issue Related to netty-codec )
> Security Issue Related to netty-codec 4.1.59.Final
> --------------------------------------------------
>
> Key: ZOOKEEPER-4413
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4413
> Project: ZooKeeper
> Issue Type: Improvement
> Affects Versions: 3.7.0
> Reporter: Daniel Ma
> Priority: Major
> Labels: security
>
> Our security scan detected CVE-2021-37136 and CVE-2021-37137 in
> netty.io_netty_codec:
> {code:java}
> CVE-2021-37136
> The Bzip2 decompression decoder function doesn\'t allow setting size
> restrictions on the decompressed output data (which affects the allocation
> size used during decompression). All users of Bzip2Decoder are affected. The
> malicious input can trigger an OOME and so a DoS attack
> CVE-2021-37137
> The Snappy frame decoder function doesn\'t restrict the chunk length which
> may lead to excessive memory usage. Beside this it also may buffer reserved
> skippable chunks until the whole chunk was received which may lead to
> excessive memory usage as well. This vulnerability can be triggered by
> supplying malicious input that decompresses to a very big size (via a network
> stream or a file) or by sending a huge skippable chunk.
> fixed in 4.1.68{code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
