CVE-2021-37136

2021-10-1915:15:07

Debian Security Bug Tracker

security-tracker.debian.org

bzip2

decompression

size restrictions

allocation

oome

dos

unix

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.01

Percentile

84.3%

JSON

The Bzip2 decompression decoder function doesn’t allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

OSVersionArchitecturePackageVersionFilename
Debian12allnetty< 1:4.1.48-6netty_1:4.1.48-6_all.deb
Debian11allnetty< 1:4.1.48-4+deb11u1netty_1:4.1.48-4+deb11u1_all.deb
Debian999allnetty< 1:4.1.48-6netty_1:4.1.48-6_all.deb
Debian13allnetty< 1:4.1.48-6netty_1:4.1.48-6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	netty	< 1:4.1.48-6	netty_1:4.1.48-6_all.deb
Debian	11	all	netty	< 1:4.1.48-4+deb11u1	netty_1:4.1.48-4+deb11u1_all.deb
Debian	999	all	netty	< 1:4.1.48-6	netty_1:4.1.48-6_all.deb
Debian	13	all	netty	< 1:4.1.48-6	netty_1:4.1.48-6_all.deb