Show plain JSON{"affected_release": [{"advisory": "RHSA-2022:2216", "cpe": "cpe:/a:redhat:logging:5.4::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-156", "product_name": "Logging subsystem for Red Hat OpenShift 5.4", "release_date": "2022-05-11T00:00:00Z"}, {"advisory": "RHSA-2021:5128", "cpe": "cpe:/a:redhat:logging:5.1::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-67", "product_name": "OpenShift Logging 5.1", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:5127", "cpe": "cpe:/a:redhat:logging:5.2::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-66", "product_name": "OpenShift Logging 5.2", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2022:2218", "cpe": "cpe:/a:redhat:logging:5.2::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-157", "product_name": "OpenShift Logging 5.2", "release_date": "2022-05-11T00:00:00Z"}, {"advisory": "RHSA-2021:5129", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-65", "product_name": "OpenShift Logging 5.3", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2022:2217", "cpe": "cpe:/a:redhat:logging:5.3::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-159", "product_name": "OpenShift Logging 5.3", "release_date": "2022-05-11T00:00:00Z"}, {"advisory": "RHSA-2021:4851", "cpe": "cpe:/a:redhat:amq_broker:7", "impact": "low", "package": "netty-codec", "product_name": "Red Hat AMQ 7.9.1", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2022:0138", "cpe": "cpe:/a:redhat:amq_streams:2", "impact": "low", "package": "netty-codec", "product_name": "Red Hat AMQ Streams 2.0.0", "release_date": "2022-01-13T00:00:00Z"}, {"advisory": "RHSA-2023:3223", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.4.0", "release_date": "2023-05-18T00:00:00Z"}, {"advisory": "RHSA-2023:5165", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.5.0", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2022:0589", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "netty-codec", "product_name": "Red Hat build of Quarkus 2.2.5", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2022:0520", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "netty-codec", "product_name": "Red Hat Data Grid 8.3.0", "release_date": "2022-02-14T00:00:00Z"}, {"advisory": "RHSA-2021:5134", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "low", "package": "netty-codec", "product_name": "Red Hat Fuse 7.10", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2022:4922", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "netty-all", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-glassfish-el-0:3.0.1-4.b08_redhat_00005.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-hibernate-0:5.1.17-3.Final_redhat_00004.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jackson-databind-0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jboss-ejb-client-0:4.0.12-1.Final_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-netty-0:4.1.63-2.Final_redhat_00003.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-undertow-0:1.4.18-16.SP14_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-0:7.1.11-4.GA_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-elytron-0:1.1.14-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-http-client-0:1.0.21-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-naming-client-0:1.0.13-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9582", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-openssl-linux-0:1.0.12-6.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-annotations-0:2.10.4-3.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-core-0:2.10.4-3.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-databind-0:2.10.4-5.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-jaxrs-providers-0:2.10.4-3.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-base-0:2.10.4-5.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00006.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jboss-server-migration-0:1.7.2-16.Final_redhat_00017.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-netty-0:4.1.63-5.Final_redhat_00003.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-undertow-0:2.0.41-4.SP5_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-wildfly-0:7.3.14-3.GA_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2025:9583", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-wildfly-elytron-0:1.10.17-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-06-25T00:00:00Z"}, {"advisory": "RHSA-2022:4919", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.72-4.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:4918", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.72-4.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:8506", "cpe": "cpe:/a:redhat:satellite:6.12::el8", "impact": "low", "package": "candlepin-0:4.1.15-1.el8sat", "product_name": "Red Hat Satellite 6.12 for RHEL 8", "release_date": "2022-11-16T00:00:00Z"}, {"advisory": "RHSA-2022:1013", "cpe": "cpe:/a:redhat:camel_quarkus:2.2.1", "impact": "low", "package": "netty-codec", "product_name": "RHINT Camel-Q 2.2.1", "release_date": "2022-03-22T00:00:00Z"}, {"advisory": "RHSA-2022:6835", "cpe": "cpe:/a:redhat:service_registry:2.3", "impact": "low", "package": "netty-codec", "product_name": "RHINT Service Registry 2.3.0 GA", "release_date": "2022-10-06T00:00:00Z"}, {"advisory": "RHSA-2022:5903", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "netty-codec", "product_name": "RHPAM 7.13.0 async", "release_date": "2022-08-04T00:00:00Z"}, {"advisory": "RHSA-2021:3959", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "netty-codec", "product_name": "Vert.x 4.1.5", "release_date": "2021-11-10T00:00:00Z"}], "bugzilla": {"description": "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", "id": "2004133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack", "A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service."], "name": "CVE-2021-37136", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "netty-codec", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Out of support scope", "package_name": "netty-codec", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "impact": "low", "package_name": "netty-codec", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "impact": "low", "package_name": "netty-codec", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "impact": "low", "package_name": "netty-codec", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "netty-codec", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "netty-codec", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "netty-codec", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "netty-codec", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "netty-codec", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "impact": "low", "package_name": "netty-codec", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2021-09-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-37136\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37136\nhttps://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"], "statement": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "threat_severity": "Moderate"}