CVE-2020-11612

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 07-04-2020 08:15

Last modified: - 26-04-2022 07:05

Total changes: - 11

Description

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=netty AND product=netty AND versionStartIncluding=4.1 AND versionEndExcluding=4.1.46

vendor=Debian AND product=debian_linux AND version=9.0

vendor=Debian AND product=debian_linux AND version=10.0

vendor=fedoraproject AND product=fedora AND version=33

vendor=netapp AND product=oncommand_api_services AND version=-

vendor=netapp AND product=oncommand_insight AND version=-

vendor=netapp AND product=oncommand_workflow_automation AND version=-

vendor=oracle AND product=communications_brm_-_elastic_charging_engine AND version=12.0.0.3

vendor=oracle AND product=communications_cloud_native_core_service_communication_proxy AND version=1.5.2

vendor=oracle AND product=communications_design_studio AND version=7.4.2

vendor=oracle AND product=nosql_database AND versionEndExcluding=20.3

vendor=oracle AND product=siebel_core_-_server_framework AND versionEndExcluding=21.5

vendor=oracle AND product=webcenter_portal AND version=12.2.1.3.0

vendor=oracle AND product=webcenter_portal AND version=12.2.1.4.0

vendor=oracle AND product=communications_messaging_server AND version=8.1

Reference

https://github.com/netty/netty/issues/6168
https://github.com/netty/netty/pull/9924
https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final
[druid-commits] 20200408 [GitHub] [druid] ccaominh opened a new pull request #9651: Upgrade netty 4 to fix CVE-2020-11612-Mailing List, Third Party Advisory
[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9651: Upgrade netty 4 to fix CVE-2020-11612-Mailing List, Third Party Advisory
[druid-commits] 20200409 [GitHub] [druid] ccaominh opened a new pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)-Mailing List, Third Party Advisory
[druid-commits] 20200409 [GitHub] [druid] ccaominh commented on issue #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)-Mailing List, Third Party Advisory
[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651)-Mailing List, Third Party Advisory
[druid-commits] 20200409 [druid] branch 0.18.0 updated: Upgrade netty 4 to fix CVE-2020-11612 (#9651) (#9654)-Mailing List, Patch, Third Party Advisory
[zookeeper-issues] 20200413 [jira] [Updated] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-notifications] 20200413 [GitHub] [zookeeper] phunt opened a new pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-dev] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-issues] 20200413 [jira] [Assigned] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-issues] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-notifications] 20200414 [GitHub] [zookeeper] phunt commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-notifications] 20200414 [GitHub] [zookeeper] eolivelli commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-issues] 20200415 [jira] [Resolved] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-commits] 20200415 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20200415 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20200415 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Patch, Third Party Advisory
[zookeeper-notifications] 20200415 [GitHub] [zookeeper] eolivelli closed pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Third Party Advisory
[zookeeper-commits] 20200415 [zookeeper] branch release-3.6.1 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612-Mailing List, Patch, Third Party Advisory
[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-master-maven-jdk12 #465-Mailing List, Third Party Advisory
[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-branch36-java8 #137-Mailing List, Third Party Advisory
[pulsar-commits] 20200416 [GitHub] [pulsar] massakam opened a new pull request #6746: [build] Bump netty version to 4.1.48.Final-Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E
[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489-Mailing List, Third Party Advisory
[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo-Mailing List, Third Party Advisory
[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-jdk12 #490-Mailing List, Third Party Advisory
[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo-Mailing List, Third Party Advisory
[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven #784-Mailing List, Third Party Advisory
[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo-Mailing List, Third Party Advisory
[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update-Mailing List, Third Party Advisory
[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink-Mailing List, Third Party Advisory
[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink-Mailing List, Third Party Advisory
FEDORA-2020-66b5f85ccc-Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20201223-0001/
https://www.oracle.com/security-alerts/cpujan2021.html
[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444-Mailing List, Third Party Advisory
[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444-Mailing List, Third Party Advisory
[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444-Mailing List, Third Party Advisory
DSA-4885-Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
N/A-Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2020-11612

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-11612

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures