Hi there,
I think the method
com.alibaba.rocketmq.shade.io.netty.handler.ssl.OpenSslEngine.wrap(ByteBuffer[]
srcs, int offset, int length, ByteBuffer dst) may have an “Loop with
Unreachable Exit Condition ('Infinite Loop')” vulnerability which is
vulnerable in the newest version of com.alibaba.rocketmq:rocketmq-client.
It shares similarities to a recent CVE disclosure *CVE-2016-4970* in the
same project *"netty/netty"* project.
The source vulnerability information is as follows:[image:
image.gif][image:
image.gif]
>
> *Vulnerability Detail:*
>
> *CVE Identifier:* CVE-2016-4970
>
> *Description*: handler/ssl/OpenSslEngine.java in Netty 4.0.x before
> 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause
> a denial of service (infinite loop).
>
> *Reference:* <http://goog_608275719/>
> https://nvd.nist.gov/vuln/detail/CVE-2016-4970
>
> *Patch*:
> https://github.com/netty/netty/commit/9e2c400f89c5badc39919f811179d3d42ac5257c
>
*Vulnerability Description:* The vulnerability is present in the class
com.alibaba.rocketmq.shade.io.netty.handler.ssl.OpenSslEngine of
method wrap(ByteBuffer[]
srcs, int offset, int length, ByteBuffer dst), which is is responsible for
encrypting one or more input ByteBuffer objects using SSL/TLS and writing
the result to the destination ByteBuffer object.. *But t**he code snippet
in this method is similar to the vulnerable snippet for * CVE-2016-4970 and
may have the same consequence as CVE-2016-4970 : allows remote attackers
to cause a denial of service (infinite loop). . Therefore, maybe you need
to fix the vulnerability with much the same fix code as the CVE-2016-4970
patch.
Considering the potential risks it may have, I am willing to cooperate
with you to verify, address, and report the identified vulnerability
promptly through responsible means. If you require any further information
or assistance, please do not hesitate to reach out to me. Thank you and
look forward to hearing from you soon.
Best regards,
Yiheng Cao
