Bug 1222045 (CVE-2024-29025)

Summary: VUL-0: CVE-2024-29025: netty,netty3: HttpPostRequestDecoder can out of memory due to large number of form fields
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, camila.matos, fstrba
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398881/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-29025:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-27 10:14:08 UTC 
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29025
https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
https://www.cve.org/CVERecord?id=CVE-2024-29025

Patch:
https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
Comment 1 Andrea Mattiazzo 2024-03-27 10:15:43 UTC 
Tracking as affected:
- SUSE:SLE-15-SP2:Update/netty   
- SUSE:SLE-15-SP2:Update/netty3                                       
- SUSE:SLE-15-SP4:Update:Products:Manager43:Update/netty
Comment 3 Maintenance Automation 2024-04-02 08:30:09 UTC 
SUSE-SU-2024:1079-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1222045
CVE References: CVE-2024-29025
Maintenance Incident: [SUSE:Maintenance:33151](https://smelt.suse.de/incident/33151/)
Sources used:
openSUSE Leap 15.5 (src):
 netty-tcnative-2.0.65-150200.3.19.1, netty-4.1.108-150200.4.23.1
Development Tools Module 15-SP5 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Package Hub 15 15-SP5 (src):
 netty-4.1.108-150200.4.23.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 netty-tcnative-2.0.65-150200.3.19.1
SUSE Enterprise Storage 7.1 (src):
 netty-tcnative-2.0.65-150200.3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Fridrich Strba 2024-04-02 12:10:07 UTC 
Update released, reassigning to security for closing.
Comment 8 OBSbugzilla Bot 2024-07-04 11:25:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1222045) was mentioned in
https://build.opensuse.org/request/show/1185373 Factory / netty3
Comment 10 Maintenance Automation 2024-07-08 12:30:21 UTC 
SUSE-SU-2024:2313-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1222045
CVE References: CVE-2024-29025
Maintenance Incident: [SUSE:Maintenance:34576](https://smelt.suse.de/incident/34576/)
Sources used:
openSUSE Leap 15.5 (src):
 netty3-3.10.6-150200.3.10.1
openSUSE Leap 15.6 (src):
 netty3-3.10.6-150200.3.10.1
Development Tools Module 15-SP5 (src):
 netty3-3.10.6-150200.3.10.1
Development Tools Module 15-SP6 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 netty3-3.10.6-150200.3.10.1
SUSE Enterprise Storage 7.1 (src):
 netty3-3.10.6-150200.3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.