vulnerability
Red Hat JBoss EAP: CVE-2021-37136: Uncontrolled Resource Consumption
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | Sep 9, 2021 | Sep 19, 2024 | Jul 2, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
Sep 9, 2021
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-400
- CVE-2021-37136
- https://attackerkb.com/topics/CVE-2021-37136
- URL-https://access.redhat.com/security/cve/CVE-2021-37136
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2004133
- URL-https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
- URL-https://access.redhat.com/errata/RHSA-2022:4918
- URL-https://access.redhat.com/errata/RHSA-2022:4919
- URL-https://access.redhat.com/errata/RHSA-2022:4922
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.