Netty 至 4.1.45 ZlibDecoders 内存破坏漏洞

admin
admin
admin
0
文章
0
评论
2023-12-01 22:24:47 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
低危 Netty 至 4.1.45 ZlibDecoders 内存破坏漏洞

CVE编号

CVE-2020-11612

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-04-08
漏洞描述
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 4.1.46之前的4.1.x版本中的ZlibDecoders存在缓冲区错误漏洞,该漏洞源于程序在解码ZlibEncoded字节流时没有限制内存分配。攻击者可通过发送大量ZlibEncoded字节流到Netty服务器利用该漏洞占用资源,导致拒绝服务。
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://github.com/netty/netty/pull/9924
参考链接
https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final
https://github.com/netty/netty/issues/6168
https://github.com/netty/netty/pull/9924
https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c...
https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba...
https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2...
https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927...
https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20b...
https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd...
https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc...
https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555...
https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83...
https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca0...
https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24...
https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a...
https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a96399686...
https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23...
https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb684609842...
https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba...
https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74...
https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b...
https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d702...
https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac7...
https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06...
https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e...
https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf4...
https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd...
https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e22...
https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33...
https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e01...
https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128...
https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f62...
https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2...
https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32...
https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a44...
https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb...
https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf...
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.netapp.com/advisory/ntap-20201223-0001/
https://www.debian.org/security/2021/dsa-4885
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 netapp oncommand_api_services - -
运行在以下环境
应用 netapp oncommand_insight - -
运行在以下环境
应用 netapp oncommand_workflow_automation - -
运行在以下环境
应用 netty netty * From (including) 4.1 Up to (excluding) 4.1.46
运行在以下环境
系统 debian_10 netty * Up to (excluding) 1:4.1.33-1+deb10u2
运行在以下环境
系统 debian_11 netty * Up to (excluding) 1:4.1.48-1
运行在以下环境
系统 debian_12 netty * Up to (excluding) 1:4.1.48-1
运行在以下环境
系统 debian_9 netty * Up to (excluding) 1:4.1.7-2+deb9u2
运行在以下环境
系统 debian_sid netty * Up to (excluding) 1:4.1.48-1
运行在以下环境
系统 fedora_33 jctools * Up to (excluding) 3.1.0-1.fc33
运行在以下环境
系统 ubuntu_18.04 netty * Up to (excluding) 1:4.1.7-4ubuntu0.1
运行在以下环境
系统 ubuntu_18.04.5_lts netty * Up to (excluding) 1:4.1.7-4ubuntu0.1
阿里云评分 3.1
  • 攻击路径 远程
  • 攻击复杂度 复杂
  • 权限要求 无需权限
  • 影响范围 有限影响
  • EXP成熟度 未验证
  • 补丁情况 官方补丁
  • 数据保密性 无影响
  • 数据完整性 无影响
  • 服务器危害 无影响
  • 全网数量 100
CWE-ID 漏洞类型
CWE-119 内存缓冲区边界内操作的限制不恰当
CWE-400 未加控制的资源消耗(资源穷尽)
CWE-770 不加限制或调节的资源分配
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
N/A Ali_nvd

N/A

N/ACVE编号 CVE-2024-9120利用情况 暂无补丁情况 N/A披露时间 2024-09-23漏洞描述Use after free in Dawn
09-260 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0