CVE-2021-37136

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Published: Oct 19, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-37136
GHSA: GHSA-grg4-wf29-r9vv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
netty / netty	-	4.1.68
quarkus / quarkus	-	2.2.4
oracle / peoplesoft_enterprise_peopletools	8.48	8.48.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / banking_digital_experience	18.2	18.2.x
oracle / banking_digital_experience	18.3	18.3.x
oracle / banking_digital_experience	19.1	19.1.x
oracle / banking_digital_experience	18.1	18.1.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / coherence	12.2.1.4.0	12.2.1.4.0.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / coherence	14.1.1.0.0	14.1.1.0.0.x
oracle / banking_digital_experience	19.2	19.2.x
oracle / banking_digital_experience	20.1	20.1.x
oracle / commerce_guided_search	11.3.2	11.3.2.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / communications_cloud_native_core_security_edge_protection_proxy	1.7.0	1.7.0.x
oracle / banking_digital_experience	21.1	21.1.x
oracle / banking_apis	18.1	18.3.x
oracle / banking_apis	19.1	19.1.x
oracle / banking_apis	19.2	19.2.x
oracle / banking_apis	20.1	20.1.x
oracle / banking_apis	21.1	21.1.x
oracle / communications_cloud_native_core_binding_support_function	1.10.0	1.10.0.x
oracle / communications_diameter_signaling_router	8.0.0.0	8.5.0.2.x
oracle / communications_cloud_native_core_policy	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_unified_data_repository	1.15.0	1.15.0.x
oracle / communications_cloud_native_core_network_slice_selection_function	1.8.0	1.8.0.x
oracle / communications_cloud_native_core_binding_support_function	1.11.0	1.11.0.x
oracle / helidon	2.4.0	2.4.0.x
oracle / helidon	1.4.10	1.4.10.x
oracle / communications_instant_messaging_server	8.1	8.1.x
oracle / communications_brm_-_elastic_charging_engine	-	12.0.0.4.6
oracle / communications_brm_-_elastic_charging_engine	12-0.0.5.0	12-0.0.5.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
io.netty / netty-codec	-	4.1.68.Final

Vulnerability Database

289,598

CVE-2021-37136