io.netty:netty-handler 4.1.0.CR5 vulnerabilities

Known vulnerabilities in the io.netty:netty-handler package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Denial of Service (DoS) io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server. Affected versions of this package are vulnerable to Denial of Service (DoS) such that if the user has no idle timeout handler configured it might be possible for a remote peer to send a `client hello` packet which leads the server to buffer up to 16MB of data per connection. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Note: An attacker can craft a packet that makes the `SslClientHelloHandler` to: Allocate a 16MB `ByteBuf`. Not fail `decode` method in buffer. Get out of the loop without an exception. The combination of this without the use of a timeout makes it easy to connect to a TCP server and allocate 16MB of heap memory per connection. How to fix Denial of Service (DoS)? Upgrade `io.netty:netty-handler` to version 4.1.94.Final or higher.	[,4.1.94.Final)
M Information Disclosure io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server. Affected versions of this package are vulnerable to Information Disclosure via the `AbstractDiskHttpData` method, and on Unix-like systems. When `netty`'s multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled. On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure. The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Sensitive information is written to this file in `AbstractDiskHttpData`, and other local users can read it. How to fix Information Disclosure? Upgrade `io.netty:netty-handler` to version 4.1.59.Final or higher.	[4.0.0.Final,4.1.59.Final)
M Insecure Defaults `io.netty:netty` is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. Affected version of this package did not properly ensure that the certificate is actually associated with that host. How to fix Insecure Defaults? Upgrade `netty` to versions `4.0.45`, `4.1.9` or higher.	[,4.0.45.Final)[4.1.0.Beta1,4.1.9.Final)
H Denial of Service (DoS) `io.netty:netty-handler` Affected versions of this package are vulnerable to infinite loop Denial of Service (DoS) attacks via a flaw in Netty's OpenSslEngine handling of renegotiation. Note: Netty is only vulnerable if renegotiation is enabled (It is a default setting). How to fix Denial of Service (DoS)? Upgrade `io.netty:netty-handler` 4.0.37.Final, 4.1.1.Final or higher.	[4.0.0.Alpha1,4.0.37.Final)[4.1.0.Beta1,4.1.1.Final)

Vulnerability

Vulnerable Version

Denial of Service (DoS)

io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that if the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which leads the server to buffer up to 16MB of data per connection.

The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record.

Note:

An attacker can craft a packet that makes the SslClientHelloHandler to:

Allocate a 16MB ByteBuf.
Not fail decode method in buffer.
Get out of the loop without an exception.

The combination of this without the use of a timeout makes it easy to connect to a TCP server and allocate 16MB of heap memory per connection.

How to fix Denial of Service (DoS)?

Upgrade io.netty:netty-handler to version 4.1.94.Final or higher.

[,4.1.94.Final)

Information Disclosure

Affected versions of this package are vulnerable to Information Disclosure via the AbstractDiskHttpData method, and on Unix-like systems.

When netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled. On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure. The method File.createTempFile on unix-like systems creates a random file, but, by default will create this file with the permissions -rw-r--r--. Sensitive information is written to this file in AbstractDiskHttpData, and other local users can read it.

How to fix Information Disclosure?

Upgrade io.netty:netty-handler to version 4.1.59.Final or higher.

[4.0.0.Final,4.1.59.Final)

Insecure Defaults

io.netty:netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients.

Affected version of this package did not properly ensure that the certificate is actually associated with that host.

How to fix Insecure Defaults?

Upgrade netty to versions 4.0.45, 4.1.9 or higher.

[,4.0.45.Final)[4.1.0.Beta1,4.1.9.Final)

Denial of Service (DoS)

io.netty:netty-handler Affected versions of this package are vulnerable to infinite loop Denial of Service (DoS) attacks via a flaw in Netty's OpenSslEngine handling of renegotiation.

Note: Netty is only vulnerable if renegotiation is enabled (It is a default setting).

How to fix Denial of Service (DoS)?

Upgrade io.netty:netty-handler 4.0.37.Final, 4.1.1.Final or higher.

[4.0.0.Alpha1,4.0.37.Final)[4.1.0.Beta1,4.1.1.Final)

io.netty:netty-handler@4.1.0.CR5 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?