{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"netty3 security update", "category":"general", "title":"Synopsis" }, { "text":"An update for netty3 is now available for openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.\n\nSecurity Fix(es):\n\nNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.(CVE-2024-29025)", "category":"general", "title":"Description" }, { "text":"An update for netty3 is now available for openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"netty3", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-2379", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2379" }, { "summary":"CVE-2024-29025", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-29025&packageName=netty3" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29025" }, { "summary":"openEuler-SA-2024-2379 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-2379.json" } ], "title":"An update for netty3 is now available for openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1", "tracking":{ "initial_release_date":"2024-11-15T20:13:30+08:00", "revision_history":[ { "date":"2024-11-15T20:13:30+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2024-11-15T20:13:30+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-11-15T20:13:30+08:00", "id":"openEuler-SA-2024-2379", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"openEuler-22.03-LTS-SP3", "name":"openEuler-22.03-LTS-SP3" }, "name":"openEuler-22.03-LTS-SP3", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"openEuler-22.03-LTS-SP1", "name":"openEuler-22.03-LTS-SP1" }, "name":"openEuler-22.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"netty3-3.10.6-9.oe2403.noarch.rpm", "name":"netty3-3.10.6-9.oe2403.noarch.rpm" }, "name":"netty3-3.10.6-9.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"netty3-3.10.6-9.oe2203sp4.noarch.rpm", "name":"netty3-3.10.6-9.oe2203sp4.noarch.rpm" }, "name":"netty3-3.10.6-9.oe2203sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"netty3-3.10.6-9.oe2203sp3.noarch.rpm", "name":"netty3-3.10.6-9.oe2203sp3.noarch.rpm" }, "name":"netty3-3.10.6-9.oe2203sp3.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"netty3-3.10.6-9.oe2003sp4.noarch.rpm", "name":"netty3-3.10.6-9.oe2003sp4.noarch.rpm" }, "name":"netty3-3.10.6-9.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"netty3-3.10.6-9.oe2203sp1.noarch.rpm", "name":"netty3-3.10.6-9.oe2203sp1.noarch.rpm" }, "name":"netty3-3.10.6-9.oe2203sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"netty3-3.10.6-9.oe2403.src.rpm", "name":"netty3-3.10.6-9.oe2403.src.rpm" }, "name":"netty3-3.10.6-9.oe2403.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"netty3-3.10.6-9.oe2203sp4.src.rpm", "name":"netty3-3.10.6-9.oe2203sp4.src.rpm" }, "name":"netty3-3.10.6-9.oe2203sp4.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"netty3-3.10.6-9.oe2203sp3.src.rpm", "name":"netty3-3.10.6-9.oe2203sp3.src.rpm" }, "name":"netty3-3.10.6-9.oe2203sp3.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"netty3-3.10.6-9.oe2003sp4.src.rpm", "name":"netty3-3.10.6-9.oe2003sp4.src.rpm" }, "name":"netty3-3.10.6-9.oe2003sp4.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"netty3-3.10.6-9.oe2203sp1.src.rpm", "name":"netty3-3.10.6-9.oe2203sp1.src.rpm" }, "name":"netty3-3.10.6-9.oe2203sp1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"netty3-3.10.6-9.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.noarch", "name":"netty3-3.10.6-9.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"netty3-3.10.6-9.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.noarch", "name":"netty3-3.10.6-9.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"netty3-3.10.6-9.oe2203sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.noarch", "name":"netty3-3.10.6-9.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"netty3-3.10.6-9.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.noarch", "name":"netty3-3.10.6-9.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"netty3-3.10.6-9.oe2203sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.noarch", "name":"netty3-3.10.6-9.oe2203sp1.noarch as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"netty3-3.10.6-9.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.src", "name":"netty3-3.10.6-9.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"netty3-3.10.6-9.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.src", "name":"netty3-3.10.6-9.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"netty3-3.10.6-9.oe2203sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.src", "name":"netty3-3.10.6-9.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"netty3-3.10.6-9.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.src", "name":"netty3-3.10.6-9.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"netty3-3.10.6-9.oe2203sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.src", "name":"netty3-3.10.6-9.oe2203sp1.src as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-29025", "notes":[ { "text":"Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.noarch", "openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.noarch", "openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.noarch", "openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.noarch", "openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.src", "openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.src", "openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.src", "openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.src", "openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.noarch", "openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.noarch", "openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.noarch", "openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.noarch", "openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.src", "openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.src", "openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.src", "openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.src", "openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.src" ], "details":"netty3 security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2379" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.noarch", "openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.noarch", "openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.noarch", "openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.noarch", "openEuler-24.03-LTS:netty3-3.10.6-9.oe2403.src", "openEuler-22.03-LTS-SP4:netty3-3.10.6-9.oe2203sp4.src", "openEuler-22.03-LTS-SP3:netty3-3.10.6-9.oe2203sp3.src", "openEuler-20.03-LTS-SP4:netty3-3.10.6-9.oe2003sp4.src", "openEuler-22.03-LTS-SP1:netty3-3.10.6-9.oe2203sp1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-29025" } ] }