JFrog Security Research

XRAY-186801 - netty Bzip2 decoder DoS

CVE-2021-37136 | CVSS 7.5

JFrog Severity:high

Published 9 Sep. 2021 | Last updated 9 Sep. 2021

Resource exhaustion in netty's Bzip2 decoder leads to denial of service

Netty

[4.1.0 - 4.1.67], fixed in 4.1.68

netty is a popular client/server framework which enables quick and easy development of network applications such as protocol servers and clients.

A vulnerability was found in netty's Bzip2 decoder - when using the netty library and accepting arbitrary data streams to decode, netty does not limit the stream in any way. An attacker that can submit a big file to decompress, may cause memory exhaustion which will lead to denial of service on the netty daemon process and possibly other processes on the same machine.

Example code that can trigger the issue -

public static void main(String[] args) throws Exception {
Bzip2Decoder decoder = new Bzip2Decoder(); // Create the decompressor
final ByteBufAllocator allocator = new PooledByteBufAllocator(false);
FileInputStream file = new FileInputStream("C:\\temp\\100GB.bz2"); // External input
int inputChunks = 64 * 1024;
ByteBuf buf = allocator.heapBuffer(inputChunks);
ChannelHandlerContext ctx = new StubChannelHandlerContext(allocator);
while (buf.writeBytes(file, buf.writableBytes()) >= 0) {
System.out.println("Input: " + buf.capacity());
decoder.channelRead(ctx, buf); // BUG, No internal resource release!
buf = allocator.heapBuffer(inputChunks);
decoder.channelReadComplete(ctx);
}

No PoC is supplied for this issue.

No vulnerability mitigations are supplied for this issue.

(JFrog) Denial of Service Security Vulnerabilities in Netty Networking Library

NVD