Описание
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
Отчет
In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.
Starting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as Out of support scope because these versions are already under Maintenance Phase of the support.
[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | netty-codec | Affected | ||
| Red Hat BPM Suite 6 | netty-codec | Out of support scope | ||
| Red Hat build of Quarkus | netty-codec | Affected | ||
| Red Hat Integration Camel K 1 | netty-codec | Affected | ||
| Red Hat Integration Service Registry | netty-codec | Not affected | ||
| Red Hat JBoss BRMS 6 | netty-codec | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | netty-codec | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | netty-codec | Out of support scope | ||
| Red Hat JBoss Fuse 6 | netty-codec | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | netty-codec | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Bzip2 decompression decoder function doesn't allow setting size re ...
Bzip2Decoder doesn't allow setting size restrictions for decompressed data
Уязвимость декодера Bzip2Decoder сетевого программного средства Netty, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3