CVE-2020-11612: 
Java vulnerability analysis and mitigation

CVE-2020-11612 is a vulnerability discovered in the ZlibDecoders component of Netty versions 4.1.x before 4.1.46. The vulnerability was disclosed on April 7, 2020, and affects the way Netty handles ZlibEncoded byte streams. The vulnerability allows for unbounded memory allocation during the decoding process (NVD, CVE).

The vulnerability exists in the ZlibDecoders component where there is no limit enforced on memory allocation while decoding a ZlibEncoded byte stream. This design flaw allows for unbounded memory allocation during the decompression process. The vulnerability has a CVSS v3.1 Base Score of 7.5 (High), with attack vector being Network, attack complexity Low, and no privileges or user interaction required (Ubuntu).

An attacker could exploit this vulnerability by sending a large ZlibEncoded byte stream to a Netty server, forcing the server to allocate all of its free memory to a single decoder. This could lead to a Denial of Service (DoS) condition by exhausting the server's memory resources (NVD).

The primary mitigation is to upgrade to Netty version 4.1.46 or later which includes a fix for this vulnerability. The fix implements a limit on the decompressed buffer size for ZlibDecoders. For systems that cannot be immediately upgraded, there are no documented workarounds (Github PR).

The vulnerability was actively tracked and patched by multiple organizations and projects including Apache Druid, Apache ZooKeeper, and various other dependent systems. The fix was implemented through a pull request that received significant attention from the developer community, highlighting the importance of the security issue (Github Issue).