CyberSec.Space Logo
Back to CVE Browser

CVE-2021-37136

HIGH
7.5
CVSS Severity Score
EPSS Score0.1790%
EPSS Percentile0.72th
PublishedOct 19, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Affected Platforms (CPE)

πŸ“¦
Netty

Netty

< 4.1.68
πŸ“¦
Quarkus

Quarkus

< 2.2.4
πŸ“¦
Oracle

Banking Apis

>= 18.1 and <= 18.3
πŸ“¦
Oracle

Banking Apis

= 19.1
πŸ“¦
Oracle

Banking Apis

= 19.2
πŸ“¦
Oracle

Banking Apis

= 20.1
πŸ“¦
Oracle

Banking Apis

= 21.1
πŸ“¦
Oracle

Banking Digital Experience

= 18.1
πŸ“¦
Oracle

Banking Digital Experience

= 18.2
πŸ“¦
Oracle

Banking Digital Experience

= 18.3
πŸ“¦
Oracle

Banking Digital Experience

= 19.1
πŸ“¦
Oracle

Banking Digital Experience

= 19.2
πŸ“¦
Oracle

Banking Digital Experience

= 20.1
πŸ“¦
Oracle

Banking Digital Experience

= 21.1
πŸ“¦
Oracle

Coherence

= 12.2.1.4.0
πŸ“¦
Oracle

Coherence

= 14.1.1.0.0
πŸ“¦
Oracle

Commerce Guided Search

= 11.3.2
πŸ“¦
Oracle

Communications Brm Elastic Charging Engine

< 12.0.0.4.6
πŸ“¦
Oracle

Communications Brm Elastic Charging Engine

= 12
πŸ“¦
Oracle

Communications Cloud Native Core Binding Support Function

= 1.10.0
πŸ“¦
Oracle

Communications Cloud Native Core Binding Support Function

= 1.11.0
πŸ“¦
Oracle

Communications Cloud Native Core Network Slice Selection Function

= 1.8.0
πŸ“¦
Oracle

Communications Cloud Native Core Policy

= 1.15.0
πŸ“¦
Oracle

Communications Cloud Native Core Security Edge Protection Proxy

= 1.7.0
πŸ“¦
Oracle

Communications Cloud Native Core Unified Data Repository

= 1.15.0
πŸ“¦
Oracle

Communications Diameter Signaling Router

>= 8.0.0.0 and <= 8.5.0.2
πŸ“¦
Oracle

Communications Instant Messaging Server

= 8.1
πŸ“¦
Oracle

Helidon

= 1.4.10
πŸ“¦
Oracle

Helidon

= 2.4.0
πŸ“¦
Oracle

Peoplesoft Enterprise Peopletools

= 8.48
πŸ“¦
Oracle

Peoplesoft Enterprise Peopletools

= 8.57
πŸ“¦
Oracle

Peoplesoft Enterprise Peopletools

= 8.58
πŸ“¦
Oracle

Peoplesoft Enterprise Peopletools

= 8.59
πŸ“¦
Oracle

Webcenter Portal

= 12.2.1.3.0
πŸ“¦
Oracle

Webcenter Portal

= 12.2.1.4.0
πŸ“¦
Netapp

Oncommand Insight

All versions
πŸ’»
Debian

Debian Linux

= 10.0
πŸ’»
Debian

Debian Linux

= 11.0

References & Advisories

πŸ”— https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
πŸ”— https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E
πŸ”— https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E
πŸ”— https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

Related Vulnerabilities

CVE-2025-112539.8

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ...

CVE-2020-119739.8

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are aff...

CVE-2019-204459.1

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, ...

CVE-2019-204449.1

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate h...