Home > Vulnerability Database > CVE-2021-37136

Mend.io Vulnerability Database

CVE-2021-37136

Good to know:

Date: October 19, 2021

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Language: Java

Severity Score

4.4

Related Resources (18)

Url: https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E

Url: https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-37136

Url: https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E

Url: https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E

Url: https://www.debian.org/security/2023/dsa-5316

Url: https://www.oracle.com/security-alerts/cpujan2022.html

Url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

Url: https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E

Url: https://security-tracker.debian.org/tracker/CVE-2021-37136

Url: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020

Url: https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://www.oracle.com/security-alerts/cpujul2022.html

Url: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv

Url: https://github.com/advisories/GHSA-grg4-wf29-r9vv

Url: https://security.netapp.com/advisory/ntap-20220210-0012/

Url: https://www.mend.io/vulnerability-database/CVE-2021-37136

Severity Score

4.4

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final

Learn More

CVSS v3

Base Score:	4.4
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL

CVSS v2

Base Score:	5.3
Access Vector (AV):
Access Complexity (AC):
Authentication (AU):
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-37136

Good to know:

Date: October 19, 2021

Language: Java

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3

CVSS v2

Do you need more information?