{"id":"USN-6049-1","summary":"netty vulnerabilities","details":"It was discovered that Netty's Zlib decoders did not limit memory\nallocations. A remote attacker could possibly use this issue to cause\nNetty to exhaust memory via malicious input, leading to a denial of\nservice. This issue only affected Ubuntu 16.04 ESM and Ubuntu 20.04 ESM.\n(CVE-2020-11612)\n\nIt was discovered that Netty created temporary files with excessive\npermissions. A local attacker could possibly use this issue to expose\nsensitive information. This issue only affected Ubuntu 16.04 ESM, Ubuntu\n18.04 ESM, and Ubuntu 20.04 ESM. (CVE-2021-21290)\n\nIt was discovered that Netty did not properly validate content-length\nheaders. A remote attacker could possibly use this issue to smuggle\nrequests. This issue was only fixed in Ubuntu 20.04 ESM. (CVE-2021-21295,\nCVE-2021-21409)\n\nIt was discovered that Netty's Bzip2 decompression decoder did not limit\nthe decompressed output data size. A remote attacker could possibly use\nthis issue to cause Netty to exhaust memory via malicious input, leading\nto a denial of service. This issue only affected Ubuntu 18.04 ESM, Ubuntu\n20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2021-37136)\n\nIt was discovered that Netty's Snappy frame decoder function did not limit\nchunk lengths. A remote attacker could possibly use this issue to cause\nNetty to exhaust memory via malicious input, leading to a denial of\nservice. (CVE-2021-37137)\n\nIt was discovered that Netty did not properly handle control chars at the\nbeginning and end of header names. A remote attacker could possibly use\nthis issue to smuggle requests. This issue only affected Ubuntu 18.04 ESM,\nUbuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2021-43797)\n\nIt was discovered that Netty could be made into an infinite recursion when\nparsing a malformed crafted message. A remote attacker could possibly use\nthis issue to cause Netty to crash, leading to a denial of service. This\nissue only affected Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10.\n(CVE-2022-41881)\n\nIt was discovered that Netty did not validate header values under certain\ncircumstances. A remote attacker could possibly use this issue to perform\nHTTP response splitting via malicious header values. This issue only\naffected Ubuntu 18.04 ESM, Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu\n22.10. (CVE-2022-41915)\n","modified":"2026-04-27T16:26:42.520552Z","published":"2023-04-28T16:02:26Z","related":["UBUNTU-CVE-2020-11612","UBUNTU-CVE-2021-21290","UBUNTU-CVE-2021-21295","UBUNTU-CVE-2021-21409","UBUNTU-CVE-2021-37136","UBUNTU-CVE-2021-37137","UBUNTU-CVE-2021-43797","UBUNTU-CVE-2022-41881","UBUNTU-CVE-2022-41915"],"upstream":["CVE-2020-11612","CVE-2021-21290","CVE-2021-21295","CVE-2021-21409","CVE-2021-37136","CVE-2021-37137","CVE-2021-43797","CVE-2022-41881","CVE-2022-41915","UBUNTU-CVE-2020-11612","UBUNTU-CVE-2021-21290","UBUNTU-CVE-2021-21295","UBUNTU-CVE-2021-21409","UBUNTU-CVE-2021-37136","UBUNTU-CVE-2021-37137","UBUNTU-CVE-2021-43797","UBUNTU-CVE-2022-41881","UBUNTU-CVE-2022-41915"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6049-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-11612"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21290"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21295"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21409"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-37136"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-37137"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-43797"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-41881"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-41915"}],"affected":[{"package":{"name":"netty","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/netty@1:4.0.34-1ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:4.0.34-1ubuntu0.1~esm1"}]}],"versions":["1:3.2.6.Final-2","1:4.0.32-1","1:4.0.33-1","1:4.0.34-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:4.0.34-1ubuntu0.1~esm1","binary_name":"libnetty-java"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6049-1.json","cves_map":{"cves":[{"id":"CVE-2020-11612","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21290","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21295","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21409","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37136","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37137","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-43797","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41881","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41915","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"netty","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/netty@1:4.1.7-4ubuntu0.1+esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:4.1.7-4ubuntu0.1+esm2"}]}],"versions":["1:4.1.7-4","1:4.1.7-4ubuntu0.1~esm1","1:4.1.7-4ubuntu0.1","1:4.1.7-4ubuntu0.1+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:4.1.7-4ubuntu0.1+esm2","binary_name":"libnetty-java"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6049-1.json","cves_map":{"cves":[{"id":"CVE-2021-21290","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21295","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21409","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37136","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37137","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-43797","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41881","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41915","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"netty","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/netty@1:4.1.45-1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:4.1.45-1ubuntu0.1~esm1"}]}],"versions":["1:4.1.33-1","1:4.1.33-2","1:4.1.33-3","1:4.1.45-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:4.1.45-1ubuntu0.1~esm1","binary_name":"libnetty-java"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6049-1.json","cves_map":{"cves":[{"id":"CVE-2020-11612","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21290","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21295","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21409","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37136","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37137","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-43797","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41881","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41915","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"netty","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/netty@1:4.1.48-4+deb11u1build0.22.04.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:4.1.48-4+deb11u1build0.22.04.1"}]}],"versions":["1:4.1.48-4"],"ecosystem_specific":{"binaries":[{"binary_version":"1:4.1.48-4+deb11u1build0.22.04.1","binary_name":"libnetty-java"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6049-1.json","cves_map":{"cves":[{"id":"CVE-2021-21290","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21295","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-21409","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37136","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-37137","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2021-43797","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41881","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2022-41915","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:22.04:LTS"}}}],"schema_version":"1.7.5"}