WCM RnD created ZOOKEEPER-4405:
----------------------------------
Summary: High Security issues reported with Netty library bundled
in ZooKeeper 3.6.3 and 3.7
Key: ZOOKEEPER-4405
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4405
Project: ZooKeeper
Issue Type: Bug
Affects Versions: 3.7.0, 3.6.3
Reporter: WCM RnD
Netty library used in ZooKeeper has the below high security vulnerabilities
reported.
h2. BDSA-2021-2832
*Affected Component(s):* Netty Project
*Vulnerability Published:* 2021-09-23 06:15 EDT
*Vulnerability Updated:* 2021-09-23 06:15 EDT
*CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
*Summary*: Netty is vulnerable to excessive memory usage due to being unable to
set size restrictions on decompressed data input. An attacker could exploit
this by supplying crafted input in order to cause a denial-of-service (DoS).
*Solution*: Fixed in version netty-4.1.68.Final
h2. BDSA-2021-2831
*Affected Component(s):* Netty Project
*Vulnerability Published:* 2021-09-22 07:35 EDT
*Vulnerability Updated:* 2021-09-22 07:35 EDT
*CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
*Summary*: Netty is susceptible to excessive memory usage due to missing chunk
length restrictions and the potential buffering of reserved skippable chunks
until the complete chunk has been received. An attacker could exploit this by
supplying crafted input in order to cause a denial-of-service (DoS).
*Solution*: Fixed in version netty-4.1.68.Final
Request to update the library to netty-4.1.68.Final where the vulnerability is
fixed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
