CVE - CVE-2020-11612

CVE-ID
CVE-2020-11612	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20201223-0001/ URL:https://security.netapp.com/advisory/ntap-20201223-0001/ DEBIAN:DSA-4885 URL:https://www.debian.org/security/2021/dsa-4885 FEDORA:FEDORA-2020-66b5f85ccc URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/ MISC:https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final URL:https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final MISC:https://github.com/netty/netty/issues/6168 URL:https://github.com/netty/netty/issues/6168 MISC:https://github.com/netty/netty/pull/9924 URL:https://github.com/netty/netty/pull/9924 MISC:https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E URL:https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E MISC:https://www.oracle.com//security-alerts/cpujul2021.html URL:https://www.oracle.com//security-alerts/cpujul2021.html MISC:https://www.oracle.com/security-alerts/cpuApr2021.html URL:https://www.oracle.com/security-alerts/cpuApr2021.html MISC:https://www.oracle.com/security-alerts/cpuapr2022.html URL:https://www.oracle.com/security-alerts/cpuapr2022.html MISC:https://www.oracle.com/security-alerts/cpujan2021.html URL:https://www.oracle.com/security-alerts/cpujan2021.html MLIST:[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update URL:https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html MLIST:[druid-commits] 20200408 [GitHub] [druid] ccaominh opened a new pull request #9651: Upgrade netty 4 to fix CVE-2020-11612 URL:https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E MLIST:[druid-commits] 20200409 [GitHub] [druid] ccaominh commented on issue #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651) URL:https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E MLIST:[druid-commits] 20200409 [GitHub] [druid] ccaominh opened a new pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651) URL:https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E MLIST:[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9651: Upgrade netty 4 to fix CVE-2020-11612 URL:https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E MLIST:[druid-commits] 20200409 [GitHub] [druid] jon-wei merged pull request #9654: [Backport] Upgrade netty 4 to fix CVE-2020-11612 (#9651) URL:https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E MLIST:[druid-commits] 20200409 [druid] branch 0.18.0 updated: Upgrade netty 4 to fix CVE-2020-11612 (#9651) (#9654) URL:https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E MLIST:[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink URL:https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E MLIST:[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink URL:https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E MLIST:[pulsar-commits] 20200416 [GitHub] [pulsar] massakam opened a new pull request #6746: [build] Bump netty version to 4.1.48.Final URL:https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E MLIST:[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 URL:https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E MLIST:[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 URL:https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E MLIST:[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444 URL:https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E MLIST:[zookeeper-commits] 20200415 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-commits] 20200415 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-commits] 20200415 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-commits] 20200415 [zookeeper] branch release-3.6.1 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo URL:https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo URL:https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 - fixed file rename typo URL:https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E MLIST:[zookeeper-dev] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E MLIST:[zookeeper-issues] 20200413 [jira] [Assigned] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E MLIST:[zookeeper-issues] 20200413 [jira] [Created] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E MLIST:[zookeeper-issues] 20200413 [jira] [Updated] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E MLIST:[zookeeper-issues] 20200415 [jira] [Resolved] (ZOOKEEPER-3794) upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200413 [GitHub] [zookeeper] phunt opened a new pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200414 [GitHub] [zookeeper] eolivelli commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200414 [GitHub] [zookeeper] phunt commented on issue #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-branch36-java8 #137 URL:https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200415 Build failed in Jenkins: zookeeper-master-maven-jdk12 #465 URL:https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200415 [GitHub] [zookeeper] eolivelli closed pull request #1319: ZOOKEEPER-3794: upgrade netty to address CVE-2020-11612 URL:https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven #784 URL:https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-jdk12 #490 URL:https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E MLIST:[zookeeper-notifications] 20200504 Build failed in Jenkins: zookeeper-master-maven-owasp #489 URL:https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E
Assigning CNA
MITRE Corporation
Date Record Created
20200407	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20200407)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)