Vulnerability Details : CVE-2021-37136
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Vulnerability category: Denial of service
Products affected by CVE-2021-37136
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.48:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
- Oracle » Communications Diameter Signaling RouterVersions from including (>=) 8.0.0.0 and up to, including, (<=) 8.5.0.2cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12:0.0.5.0:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
- cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-37136
1.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-37136
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2021-37136
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by:
- nvd@nist.gov (Primary)
- reefs@jfrog.com (Secondary)
References for CVE-2021-37136
-
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
[SECURITY] [DLA 3268-1] netty security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 - Pony MailMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
Bzip2Decoder doesn't allow setting size restrictions for decompressed data · Advisory · netty/netty · GitHubThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://www.debian.org/security/2023/dsa-5316
Debian -- Security Information -- DSA-5316-1 nettyThird Party Advisory
-
https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 - Pony MailThird Party Advisory
-
https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
[jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 - Pony MailMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220210-0012/
February 2022 Apache Netty Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 - Pony MailMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to