BDSA-2024-0720 Netty Vulnerable to Denial-of-Service (DoS) via Uncontrolled Memory Allocation in 'HttpPostRequestDecoder' Component
KafkaProServerless opened this issue · 1 comments
Hello team,
Thank you for the work on this project.
Our company runs daily scans using BlackDuck, SonarQube, OWASP etc...
And it found:
BDSA-2024-0720
High
CVSS3 Base : 7.5
CVSS3 Impact : 3.6
CVSS3 Exploitabity : 3.9
Netty Vulnerable to Denial-of-Service (DoS) via Uncontrolled Memory Allocation in 'HttpPostRequestDecoder' Component
Description
Netty is vulnerable to denial-of-service (DoS) due to insufficient restrictions on the amount of memory that is allocated in the HttpPostRequestDecoder
component. An attacker could exploit this by sending maliciously crafted data in order to cause an out-of-memory (OOM) error and a denial-of-service (DoS). Note: The vendor has mentioned that any Netty based HTTP server that uses the HttpPostRequestDecoder
to decode a form is impacted.
Technical Description
This vulnerability exists within the HttpPostRequestDecoder
functionality in multiple files in the codec-http/src/main/java/io/netty/handler/codec/http/multipart/
directory. There are insufficient limits on the number of fields a form can have when it is decoded. An attacker could send a crafted chunked post with a number of small fields which will result in the accumulation of data in the bodyListHttpData
list. This results in the decoder cumulating bytes in the undecodedChunk
buffer which does not have any limits, thus, leading to a denial-of-service (DoS) condition via an out-of-memory (OOM) error. It has been mitigated by introducing limits on both bodyListHttpData
and the undecodedChunk
buffer. maxFields
defines the maximum number of fields a form can have and maxBufferedBytes
defines the maximum amount of bytes a field can cumulate. The decoder controller will handle if a limit has been reached and will throw a decoder exception in a safe manner.
Vulnerability Source
BDSA
EXPLOIT | https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
We do use HttpPostRequestDecoder, could you please help?
Just upgrade to the latest release which has the fix.