CVE-2021-37136
HIGHCVSS 7.5/10EPSS 5.65%
Last modified
CVE-2021-37136 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. EPSS estimates a 5.65% chance of exploitation in the next 30 days.
Description
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Netty | Netty | < 4.1.68 | — |
| Quarkus | Quarkus | < 2.2.4 | — |
| Oracle | Banking Apis | >= 18.1, <= 18.3 | — |
| Oracle | Banking Apis | 19.1 | — |
| Oracle | Banking Apis | 19.2 | — |
| Oracle | Banking Apis | 20.1 | — |
| Oracle | Banking Apis | 21.1 | — |
| Oracle | Banking Digital Experience | 18.1 | — |
| Oracle | Banking Digital Experience | 18.2 | — |
| Oracle | Banking Digital Experience | 18.3 | — |
| Oracle | Banking Digital Experience | 19.1 | — |
| Oracle | Banking Digital Experience | 19.2 | — |
| Oracle | Banking Digital Experience | 20.1 | — |
| Oracle | Banking Digital Experience | 21.1 | — |
| Oracle | Coherence | 12.2.1.4.0 | — |
| Oracle | Coherence | 14.1.1.0.0 | — |
| Oracle | Commerce Guided Search | 11.3.2 | — |
| Oracle | Communications Brm - Elastic Charging Engine | < 12.0.0.4.6 | — |
| Oracle | Communications Brm - Elastic Charging Engine | 12 | 0.0.5.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 | — |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 | — |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 | — |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 | — |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 | — |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 | — |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 | — |
| Oracle | Communications Instant Messaging Server | 8.1 | — |
| Oracle | Helidon | 1.4.10 | — |
| Oracle | Helidon | 2.4.0 | — |
| Oracle | Peoplesoft Enterprise Peopletools | 8.48 | — |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 | — |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 | — |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 | — |
| Oracle | Webcenter Portal | 12.2.1.3.0 | — |
| Oracle | Webcenter Portal | 12.2.1.4.0 | — |
| Netapp | Oncommand Insight | All versions | — |
| Debian | Debian Linux | 10.0 | — |
| Debian | Debian Linux | 11.0 | — |
References
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vvThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0012/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vvThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0012/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-37136?
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
How severe is CVE-2021-37136?
CVE-2021-37136 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 5.65% probability of exploitation in the next 30 days.
How do I fix CVE-2021-37136?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-37136?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST