CVE-2021-37136
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
8.0
Description
Bzip2Decoder doesn't allow setting size restrictions for decompressed data
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1:4.1.48-6 |
| sid | Fixed | 1:4.1.48-6 |
| forky | Fixed | 1:4.1.48-6 |
| bullseye | Fixed | 1:4.1.48-4+deb11u1 |
| bookworm | Fixed | 1:4.1.48-6 |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | io.netty:netty-codec | <4.1.68.Final | 4.1.68.Final |
| Maven | org.jboss.netty:netty | | |
| Maven | io.netty:netty | | |
References
- https://www.suse.com/security/cve/CVE-2021-37136.html
- https://errata.rockylinux.org/RLSA-2022:8506
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
- https://nvd.nist.gov/vuln/detail/CVE-2021-37136
- https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.debian.org/security/2023/dsa-5316
- https://security.netapp.com/advisory/ntap-20220210-0012
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
- https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
- https://github.com/netty/netty
- https://security-tracker.debian.org/tracker/CVE-2021-37136
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.