Description

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Related CPE's

a

netty

netty

Vulnerable

a

oracle

banking_apis

5

a

oracle

banking_digital_experience

7

a

oracle

commerce_guided_search

11.3.2

Vulnerable

a

oracle

communications_brm_-_elastic_charging_engine

2

a

oracle

communications_cloud_native_core_binding_support_function

1.10.0

Vulnerable

a

oracle

communications_diameter_signaling_router

Vulnerable

a

oracle

peoplesoft_enterprise_peopletools

3

a

oracle

webcenter_portal

2

a

quarkus

quarkus

Vulnerable

a

netapp

oncommand_insight

-

Vulnerable

o

debian

debian_linux

2

References

https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363

Third Party Advisory

https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

Mailing ListThird Party Advisory

https://security.netapp.com/advisory/ntap-20220210-0012/

Third Party Advisory

https://www.debian.org/security/2023/dsa-5316

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

PatchThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-400

[email protected]

Secondary
CWE-400

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-10-19T15:15:07.757

3 years ago

Last modified

2023-11-07T03:36:54.510

1 year ago