Vulnerability Description
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | >= 4.1, < 4.1.46 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 33 |
| Netapp | Oncommand Api Services | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Oracle | Communications Brm - Elastic Charging Engine | 12.0.0.3 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.5.2 |
| Oracle | Communications Design Studio | 7.4.2 |
| Oracle | Nosql Database | < 20.3 |
| Oracle | Siebel Core - Server Framework | < 21.5 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Communications Messaging Server | 8.1 |
Related Weaknesses (CWE)
References
- https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.FinalPatchThird Party Advisory
- https://github.com/netty/netty/issues/6168Third Party Advisory
- https://github.com/netty/netty/pull/9924PatchThird Party Advisory
- https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c088
- https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042
- https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9
- https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501
- https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b
- https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b8
- https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc434
- https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1e
- https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd8
- https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8
- https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13
- https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a684
FAQ
What is CVE-2020-11612?
CVE-2020-11612 is a vulnerability with a CVSS score of 7.5 (HIGH). The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server...
How severe is CVE-2020-11612?
CVE-2020-11612 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11612?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Debian Debian Linux, Fedoraproject Fedora, Netapp Oncommand Api Services, Netapp Oncommand Insight.