vulnerability
Red Hat JBoss EAP: CVE-2021-37136: Uncontrolled Resource Consumption
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | Sep 9, 2021 | Sep 19, 2024 | Mar 25, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
Sep 9, 2021
Added
Sep 19, 2024
Modified
Mar 25, 2026
Description
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-400
- CVE-2021-37136
- https://attackerkb.com/topics/CVE-2021-37136
- https://access.redhat.com/security/cve/CVE-2021-37136
- https://bugzilla.redhat.com/show_bug.cgi?id=2004133
- https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
- https://access.redhat.com/errata/RHSA-2022:4918
- https://access.redhat.com/errata/RHSA-2022:4919
- https://access.redhat.com/errata/RHSA-2022:4922
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-2064
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.