Lucene search

K
osvGoogleOSV:GHSA-8HXH-R6F7-JF45
HistoryOct 16, 2020 - 5:03 p.m.

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

2020-10-1617:03:43
Google
osv.dev
149

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

84.3%

Impact

A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612.

Patches

Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe.

Workarounds

Add an explicit runtime dependency on async-http-client’s netty dependencies that evicts them to an unaffected version:

libraryDependencies ++= Seq(
  "io.netty" %  "netty-codec"         % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-codec-socks"   % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-handler-proxy" % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-common"        % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-transport"     % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-handler"       % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-resolver-dns"  % "4.1.53.Final" % Runtime
)

References

For more information

If you have any questions or comments about this advisory:

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

84.3%