CVE编号
CVE-2020-11612利用情况
暂无补丁情况
官方补丁披露时间
2020-04-08漏洞描述
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 4.1.46之前的4.1.x版本中的ZlibDecoders存在缓冲区错误漏洞,该漏洞源于程序在解码ZlibEncoded字节流时没有限制内存分配。攻击者可通过发送大量ZlibEncoded字节流到Netty服务器利用该漏洞占用资源,导致拒绝服务。解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://github.com/netty/netty/pull/9924
参考链接 |
|
|---|---|
| https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final | |
| https://github.com/netty/netty/issues/6168 | |
| https://github.com/netty/netty/pull/9924 | |
| https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c... | |
| https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba... | |
| https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2... | |
| https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927... | |
| https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20b... | |
| https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd... | |
| https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc... | |
| https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555... | |
| https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83... | |
| https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca0... | |
| https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24... | |
| https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a... | |
| https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a96399686... | |
| https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23... | |
| https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb684609842... | |
| https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba... | |
| https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74... | |
| https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b... | |
| https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d702... | |
| https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac7... | |
| https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06... | |
| https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e... | |
| https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf4... | |
| https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd... | |
| https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e22... | |
| https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33... | |
| https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e01... | |
| https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128... | |
| https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f62... | |
| https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2... | |
| https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32... | |
| https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a44... | |
| https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb... | |
| https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf... | |
| https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://security.netapp.com/advisory/ntap-20201223-0001/ | |
| https://www.debian.org/security/2021/dsa-4885 | |
| https://www.oracle.com//security-alerts/cpujul2021.html | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | |
| https://www.oracle.com/security-alerts/cpujan2021.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_api_services | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_insight | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | oncommand_workflow_automation | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netty | netty | * |
From (including) 4.1 |
Up to (excluding) 4.1.46 |
||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | netty | * |
Up to (excluding) 1:4.1.33-1+deb10u2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | netty | * |
Up to (excluding) 1:4.1.7-2+deb9u2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_33 | netty | * |
Up to (excluding) 3.1.0-1.fc33 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | netty | * |
Up to (excluding) 1:4.1.7-4ubuntu0.1 |
|||||
- 攻击路径 远程
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 100
还没有评论,来说两句吧...