The latest YAJSW patch #12.16 ships "netty-4.1.63.Final" which is impacted by BDSA-2021-2832 or BDSA-2021-2831. This component needs to be upgraded to version "4.1.68.Final" which is not impacted by this vulnerability.
Just to update:
There isn't a public CVE available for this yet. But Blackduck has identified this as a valid issue:
1. Netty Vulnerable to Denial-of-Service (DoS) via Missing Chunk Length Restrictions in 'SnappyFrameDecoder.java' (BDSA-2021-2831)
2. Netty Vulnerable to Denial-of-Service (DoS) via Inability to Set Size Restrictions on Decompressed Output Data (BDSA-2021-2832)
Solution - Fix Available
Fixed in version netty-4.1.68.Final by this commit.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just to update:
There isn't a public CVE available for this yet. But Blackduck has identified this as a valid issue:
1. Netty Vulnerable to Denial-of-Service (DoS) via Missing Chunk Length Restrictions in 'SnappyFrameDecoder.java' (BDSA-2021-2831)
2. Netty Vulnerable to Denial-of-Service (DoS) via Inability to Set Size Restrictions on Decompressed Output Data (BDSA-2021-2832)
Solution - Fix Available
Fixed in version netty-4.1.68.Final by this commit.
Hello,
Any update on this?
fixed: release 13.01
Hi @rzo,
What is the ETA for 13.01 release?