Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-37137

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Published

2021-10-19T15:15:07.757

Last Modified

2024-11-21T06:14:43.073

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-400
Type: Primary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	netty	netty	< 4.1.68	Yes
Application	oracle	banking_apis	≤ 18.3	Yes
Application	oracle	banking_apis	19.1	Yes
Application	oracle	banking_apis	19.2	Yes
Application	oracle	banking_apis	20.1	Yes
Application	oracle	banking_apis	21.1	Yes
Application	oracle	banking_digital_experience	18.1	Yes
Application	oracle	banking_digital_experience	18.2	Yes
Application	oracle	banking_digital_experience	18.3	Yes
Application	oracle	banking_digital_experience	19.1	Yes
Application	oracle	banking_digital_experience	19.2	Yes
Application	oracle	banking_digital_experience	20.1	Yes
Application	oracle	banking_digital_experience	21.1	Yes
Application	oracle	commerce_guided_search	11.3.2	Yes
Application	oracle	communications_brm_-_elastic_charging_engine	< 12.0.0.4.6	Yes
Application	oracle	communications_brm_-_elastic_charging_engine	12.0.0.5.0	Yes
Application	oracle	communications_cloud_native_core_binding_support_function	1.10.0	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.5.0.2	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Application	quarkus	quarkus	< 2.2.4	Yes
Application	netapp	oncommand_insight	-	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes

References

https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220210-0012/ Third Party Advisory ([email protected])
https://www.debian.org/security/2023/dsa-5316 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220210-0012/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2023/dsa-5316 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)