CVE-2021-37137
Last modified
CVE-2021-37137 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. EPSS estimates a 6.28% chance of exploitation in the next 30 days.
Description
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | < 4.1.68 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Apis | 19.1 |
| Oracle | Banking Apis | 19.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Apis | 21.1 |
| Oracle | Banking Digital Experience | 18.1 |
| Oracle | Banking Digital Experience | 18.2 |
| Oracle | Banking Digital Experience | 18.3 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Brm - Elastic Charging Engine | < 12.0.0.4.6 |
| Oracle | Communications Brm - Elastic Charging Engine | 12.0.0.5.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
| Quarkus | Quarkus | < 2.2.4 |
| Netapp | Oncommand Insight | All versions |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
References
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0012/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0012/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-37137?
How severe is CVE-2021-37137?
How do I fix CVE-2021-37137?
Are you affected by CVE-2021-37137?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST