Netty 缓冲区错误漏洞

CNNVD-ID编号	CNNVD-202004-377
CVE编号	CVE-2020-11612
发布时间	2020-04-07
更新时间	2021-01-20
漏洞类型	缓冲区错误
漏洞来源	N/A
危险等级	超危
威胁类型	远程
厂商	N/A

漏洞介绍

Netty是Netty社区的一款非阻塞I/O客户端-服务器框架，它主要用于开发Java网络应用程序，如协议服务器和客户端等。

Netty 4.1.46之前的4.1.x版本中的ZlibDecoders存在缓冲区错误漏洞，该漏洞源于程序在解码ZlibEncoded字节流时没有限制内存分配。攻击者可通过发送大量ZlibEncoded字节流到Netty服务器利用该漏洞占用资源，导致拒绝服务。

漏洞补丁

目前厂商已发布升级了Netty 缓冲区错误漏洞的补丁，Netty 缓冲区错误漏洞的补丁获取链接：

https://github.com/netty/netty/pull/9924

参考网址

来源:MLIST

链接：https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E
来源:MISC

链接：https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final
来源:MLIST

链接：https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E
来源:MISC

链接：https://github.com/netty/netty/pull/9924
来源:MLIST

链接：https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
来源:MLIST

链接：https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E
来源:MISC

链接：https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E
来源:MISC

链接：https://github.com/netty/netty/issues/6168
来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
来源:CONFIRM

链接：https://security.netapp.com/advisory/ntap-20201223-0001/
来源:MLIST

链接：https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E
来源:MLIST

链接：https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.1556/
来源:www.nsfocus.net

链接：http://www.nsfocus.net/vulndb/48468
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/160562/Red-Hat-Security-Advisory-2020-5568-01.html
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterprise-gateway-vulnerable-to-denial-of-service-cve-2020-11612/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159741/Ubuntu-Security-Notice-USN-4600-2.html
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-affects-ibm-spectrum-scale-transparent-cloud-tieringcve-2020-7238-2/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158534/Red-Hat-Security-Advisory-2020-3133-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2992/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.4464/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159015/Red-Hat-Security-Advisory-2020-3585-01.html
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158128/Red-Hat-Security-Advisory-2020-2605-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3040/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2205/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/157507/Red-Hat-Security-Advisory-2020-1422-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2837/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2619/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158916/Red-Hat-Security-Advisory-2020-3501-01.html
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-netty-vulnerability-cve-2020-11612/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2092/
来源:www.oracle.com

链接：https://www.oracle.com/security-alerts/cpujan2021.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3534/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.1416/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158651/Red-Hat-Security-Advisory-2020-3197-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3326/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/157352/Red-Hat-Security-Advisory-2020-1538-01.html
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158220/Red-Hat-Security-Advisory-2020-2751-01.html
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159208/Red-Hat-Security-Advisory-2020-3779-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2139/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-4-1-x-before-4-1-46-affects-ibm-operations-analytics-predictive-insights-cve-2020-11612/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159551/Red-Hat-Security-Advisory-2020-4252-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2537/
来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been-identified-in-netty-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2020-11612/
来源:nvd.nist.gov

链接：https://nvd.nist.gov/vuln/detail/CVE-2020-11612
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3190/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3049/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158150/Red-Hat-Security-Advisory-2020-2618-01.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3697/

受影响实体

暂无

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202004-377