Vulnerability Description
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | < 4.1.68 |
| Quarkus | Quarkus | < 2.2.4 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 18.1 |
| Oracle | Coherence | 12.2.1.4.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Brm - Elastic Charging Engine | < 12.0.0.4.6 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 |
| Oracle | Communications Instant Messaging Server | 8.1 |
| Oracle | Helidon | 1.4.10 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.48 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Netapp | Oncommand Insight | - |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vvThird Party Advisory
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe334916
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b4055801
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435a
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc969
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0012/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vvThird Party Advisory
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe334916
FAQ
What is CVE-2021-37136?
CVE-2021-37136 is a vulnerability with a CVSS score of 7.5 (HIGH). The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decode...
How severe is CVE-2021-37136?
CVE-2021-37136 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37136?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Quarkus Quarkus, Oracle Banking Apis, Oracle Banking Digital Experience, Oracle Coherence.