#VU41436 Buffer overflow in Netty


Published: 2014-07-31 | Updated: 2020-08-10

Vulnerability identifier: #VU41436

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-3488

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Netty
Universal components / Libraries / Libraries used by multiple products

Vendor: Netty project

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Netty: 3.6.0 - 3.9.1

External links
http://netty.io/news/2014/06/11/3-9-2-Final.html
http://secunia.com/advisories/59196
http://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994
http://github.com/netty/netty/issues/2562
http://lists.debian.org/debian-lts-announce/2020/02/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM PureData System for Operational Analytics
Buffer overflow in Netty