Описание
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
A flaw was found in Netty. An unsafe reading of the environment file could cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crash.
Отчет
This issue only affects Windows environments, therefore, this would affect an environment when running a supported Red Hat JBoss EAP 7 or 8, for example, if running on Windows.
Меры по смягчению последствий
Currently, no mitigation is available for this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Quarkus | netty-common | Not affected | ||
| Red Hat Integration Camel K 1 | netty-common | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | netty-common | Fixed | RHSA-2025:3467 | 01.04.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4.22 | Fixed | RHSA-2025:4552 | 06.05.2025 | |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-netty | Fixed | RHSA-2025:3465 | 01.04.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-netty-transport-native-epoll | Fixed | RHSA-2025:3465 | 01.04.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-wildfly | Fixed | RHSA-2025:3465 | 01.04.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-apache-commons-io | Fixed | RHSA-2025:4549 | 06.05.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-hal-console | Fixed | RHSA-2025:4549 | 06.05.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-ironjacamar | Fixed | RHSA-2025:4549 | 06.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
Netty, an asynchronous, event-driven network application framework, ha ...
Denial of Service attack on windows app using Netty
Уязвимость функции BufferedReader.readLine() сетевого программного средства Netty, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
5.5 Medium
CVSS3