{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47535", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-25T21:46:10.929Z", "datePublished": "2024-11-12T15:50:08.334Z", "dateUpdated": "2024-11-13T20:44:41.743Z"}, "containers": {"cna": {"title": "Denial of Service attack on windows app using Netty", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"}, {"name": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3", "tags": ["x_refsource_MISC"], "url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3"}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": "< 4.1.115", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-12T15:50:08.334Z"}, "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115."}], "source": {"advisory": "GHSA-xq3w-v528-46rv", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "netty", "product": "netty", "cpes": ["cpe:2.3:a:netty:netty:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.1.115", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-13T20:43:58.714521Z", "id": "CVE-2024-47535", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T20:44:41.743Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47535", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-13T20:43:58.714521Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:netty:netty:-:*:*:*:*:*:*:*"], "vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.115", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T20:44:36.110Z"}}], "cna": {"title": "Denial of Service attack on windows app using Netty", "source": {"advisory": "GHSA-xq3w-v528-46rv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"status": "affected", "version": "< 4.1.115"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv", "name": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3", "name": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-12T15:50:08.334Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47535", "state": "PUBLISHED", "dateUpdated": "2024-11-13T20:44:41.743Z", "dateReserved": "2024-09-25T21:46:10.929Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-12T15:50:08.334Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ACD5F9E-5E81-4D37-84EB-7BC68740A430", "versionEndExcluding": "4.1.115", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115."}, {"lang": "es", "value": "Netty es un framework de trabajo de aplicaci\u00f3n de red asincr\u00f3nico controlado por eventos para el desarrollo r\u00e1pido de servidores y clientes de protocolo de alto rendimiento y mantenibles. Una lectura no segura de un archivo de entorno podr\u00eda provocar una denegaci\u00f3n de servicio en Netty. Cuando se carga en una aplicaci\u00f3n de Windows, Netty intenta cargar un archivo que no existe. Si un atacante crea un archivo tan grande, la aplicaci\u00f3n Netty se bloquea. Esta vulnerabilidad se corrigi\u00f3 en 4.1.115."}], "id": "CVE-2024-47535", "lastModified": "2025-09-05T14:00:07.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-12T16:15:22.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:0900", "cpe": "cpe:/a:redhat:quarkus:3.15::el8", "package": "io.quarkus/quarkus-netty", "product_name": "Red Hat build of Quarkus 3.15.3", "release_date": "2025-02-05T00:00:00Z"}, {"advisory": "RHSA-2025:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "io.netty/netty", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:4552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-apache-commons-io-0:2.16.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hal-console-0:3.3.26-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-ironjacamar-0:1.5.19-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-server-migration-0:1.10.0-41.Final_redhat_00041.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-weld-core-0:3.1.11-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.22-2.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4549", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-elytron-0:1.15.25-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-apache-commons-io-0:2.16.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hal-console-0:3.3.26-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-ironjacamar-0:1.5.19-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-server-migration-0:1.10.0-41.Final_redhat_00041.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-weld-core-0:3.1.11-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.22-2.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4550", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-elytron-0:1.15.25-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-apache-commons-io-0:2.16.1-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hal-console-0:3.3.26-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-ironjacamar-0:1.5.19-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-server-migration-0:1.10.0-41.Final_redhat_00041.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-weld-core-0:3.1.11-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-0:7.4.22-2.GA_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4548", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-elytron-0:1.15.25-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:3358", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "io.netty/netty", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-slf4j-0:2.0.16-2.redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.6.1-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-0:4.1.119-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.16-2.redhat_00003.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3357", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.6-15.GA_redhat_00009.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:2416", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Streams for Apache Kafka 2.9.0", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:9922", "cpe": "cpe:/a:redhat:amq_streams:2.9::el9", "product_name": "Streams for Apache Kafka 2.9.1", "release_date": "2025-06-30T00:00:00Z"}], "bugzilla": {"description": "netty: Denial of Service attack on windows app using Netty", "id": "2325538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.", "A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes."], "name": "CVE-2024-47535", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "io.netty/netty", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-11-12T15:50:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47535\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47535\nhttps://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3\nhttps://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.", "threat_severity": "Moderate"}