Vulnerability Description
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | < 4.1.68 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 18.1 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Brm - Elastic Charging Engine | < 12.0.0.4.6 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Quarkus | Quarkus | < 2.2.4 |
| Netapp | Oncommand Insight | - |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363Third Party Advisory
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe334916
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b4055801
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435a
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc969
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0012/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363Third Party Advisory
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe334916
FAQ
What is CVE-2021-37137?
CVE-2021-37137 is a vulnerability with a CVSS score of 7.5 (HIGH). The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was receive...
How severe is CVE-2021-37137?
CVE-2021-37137 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37137?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Oracle Banking Apis, Oracle Banking Digital Experience, Oracle Commerce Guided Search, Oracle Communications Brm - Elastic Charging Engine.