Bugzilla – Bug 1222045
VUL-0: CVE-2024-29025: netty,netty3: HttpPostRequestDecoder can out of memory due to large number of form fields
Last modified: 2024-07-08 12:30:21 UTC
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29025 https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v https://www.cve.org/CVERecord?id=CVE-2024-29025 Patch: https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
Tracking as affected: - SUSE:SLE-15-SP2:Update/netty - SUSE:SLE-15-SP2:Update/netty3 - SUSE:SLE-15-SP4:Update:Products:Manager43:Update/netty
SUSE-SU-2024:1079-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1222045 CVE References: CVE-2024-29025 Maintenance Incident: [SUSE:Maintenance:33151](https://smelt.suse.de/incident/33151/) Sources used: openSUSE Leap 15.5 (src): netty-tcnative-2.0.65-150200.3.19.1, netty-4.1.108-150200.4.23.1 Development Tools Module 15-SP5 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Package Hub 15 15-SP5 (src): netty-4.1.108-150200.4.23.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): netty-tcnative-2.0.65-150200.3.19.1 SUSE Enterprise Storage 7.1 (src): netty-tcnative-2.0.65-150200.3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Update released, reassigning to security for closing.
This is an autogenerated message for OBS integration: This bug (1222045) was mentioned in https://build.opensuse.org/request/show/1185373 Factory / netty3
SUSE-SU-2024:2313-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1222045 CVE References: CVE-2024-29025 Maintenance Incident: [SUSE:Maintenance:34576](https://smelt.suse.de/incident/34576/) Sources used: openSUSE Leap 15.5 (src): netty3-3.10.6-150200.3.10.1 openSUSE Leap 15.6 (src): netty3-3.10.6-150200.3.10.1 Development Tools Module 15-SP5 (src): netty3-3.10.6-150200.3.10.1 Development Tools Module 15-SP6 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): netty3-3.10.6-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): netty3-3.10.6-150200.3.10.1 SUSE Enterprise Storage 7.1 (src): netty3-3.10.6-150200.3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.