CVE-2024-29025

Netty HttpPostRequestDecoder can OOM

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

Netty es un framework de aplicación de red asíncrono impulsado por eventos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. Se puede engañar al `HttpPostRequestDecoder` para que acumule datos. Si bien el decodificador puede almacenar elementos en el disco si está configurado así, no hay límites para la cantidad de campos que puede tener el formulario, un adjunto puede enviar una publicación fragmentada que consta de muchos campos pequeños que se acumularán en la lista `bodyListHttpData`. El decodificador acumula bytes en el búfer `undecodedChunk` hasta que puede decodificar un campo, este campo puede acumular datos sin límites. Esta vulnerabilidad se soluciona en 4.1.108.Final.

A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-14 CVE Reserved
2024-03-25 CVE Published
2024-03-26 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (6)

URL	Tag	Source
https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3	X_refsource_misc
https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c	X_refsource_misc
https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-29025	2024-11-13
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	2024-11-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netty Search vendor "Netty"		Netty Search vendor "Netty" for product "Netty"				*		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				*		-		Affected
Redhat Search vendor "Redhat"		Optaplanner Search vendor "Redhat" for product "Optaplanner"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Suse Search vendor "Suse"		Packagehub Search vendor "Suse" for product "Packagehub"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-development-tools Search vendor "Suse" for product "Sle-module-development-tools"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-espos Search vendor "Suse" for product "Sle Hpc-espos"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-ltss Search vendor "Suse" for product "Sle Hpc-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc Search vendor "Suse" for product "Sle Hpc"				*		-		Affected
Suse Search vendor "Suse"		Sled Search vendor "Suse" for product "Sled"				*		-		Affected
Suse Search vendor "Suse"		Sles-ltss Search vendor "Suse" for product "Sles-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sles Search vendor "Suse" for product "Sles"				*		-		Affected
Suse Search vendor "Suse"		Sles Sap Search vendor "Suse" for product "Sles Sap"				*		-		Affected