低危 Netty 至 4.1.45 ZlibDecoders 内存破坏漏洞

CVE编号

CVE-2020-11612

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-04-08
漏洞描述
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。
Netty 4.1.46之前的4.1.x版本中的ZlibDecoders存在缓冲区错误漏洞,该漏洞源于程序在解码ZlibEncoded字节流时没有限制内存分配。攻击者可通过发送大量ZlibEncoded字节流到Netty服务器利用该漏洞占用资源,导致拒绝服务。

解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://github.com/netty/netty/pull/9924
参考链接
https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final
https://github.com/netty/netty/issues/6168
https://github.com/netty/netty/pull/9924
https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c...
https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba...
https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2...
https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927...
https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20b...
https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd...
https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc...
https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555...
https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83...
https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca0...
https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24...
https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a...
https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a96399686...
https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23...
https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb684609842...
https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba...
https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74...
https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b...
https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d702...
https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac7...
https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06...
https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e...
https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf4...
https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd...
https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e22...
https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33...
https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e01...
https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128...
https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f62...
https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2...
https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32...
https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a44...
https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb...
https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf...
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.netapp.com/advisory/ntap-20201223-0001/
https://www.debian.org/security/2021/dsa-4885
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 netapp oncommand_api_services - -
运行在以下环境
应用 netapp oncommand_insight - -
运行在以下环境
应用 netapp oncommand_workflow_automation - -
运行在以下环境
应用 netty netty * From
(including)
4.1 		Up to
(excluding)
4.1.46
运行在以下环境
系统 debian_10 netty * Up to
(excluding)
4.1.33-1+deb10u2
运行在以下环境
系统 debian_11 netty * Up to
(excluding)
4.1.48-1
运行在以下环境
系统 debian_12 netty * Up to
(excluding)
4.1.48-1
运行在以下环境
系统 fedora_33 jctools * Up to
(excluding)
3.1.0-1.fc33
运行在以下环境
系统 ubuntu_18.04 netty * Up to
(excluding)
4.1.7-4ubuntu0.1
阿里云评分
3.1
  • 攻击路径
    远程
  • 攻击复杂度
    复杂
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    100
CWE-ID 漏洞类型
CWE-119 内存缓冲区边界内操作的限制不恰当
CWE-400 未加控制的资源消耗(资源穷尽)
CWE-770 不加限制或调节的资源分配
阿里云安全产品覆盖情况