Описание
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | io.netty/netty | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | io.netty/netty | Not affected | ||
| Red Hat Build of Keycloak | io.netty/netty | Not affected | ||
| Red Hat Fuse 7 | io.netty/netty | Not affected | ||
| Red Hat Integration Camel K 1 | io.netty/netty | Not affected | ||
| Red Hat JBoss Data Grid 7 | io.netty/netty | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | io.netty/netty | Not affected | ||
| Red Hat Process Automation 7 | io.netty/netty | Not affected | ||
| Red Hat Single Sign-On 7 | io.netty/netty | Not affected | ||
| Red Hat build of Quarkus 3.15.3 | io.quarkus/quarkus-netty | Fixed | RHSA-2025:0900 | 05.02.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Netty is an asynchronous event-driven network application framework fo ...
Security update for aalto-xml, flatten-maven-plugin, jctools, moditect, netty, netty-tcnative
Denial of Service attack on windows app using netty
EPSS
5.5 Medium
CVSS3