CVE-2021-37136: 
Java vulnerability analysis and mitigation

CVE-2021-37136 is a vulnerability in the Bzip2 decompression decoder function of Netty, discovered and disclosed in September 2021. The vulnerability affects Netty versions 4.1.0 to 4.1.67 (inclusive), where the decompression decoder function doesn't allow setting size restrictions on the decompressed output data, which affects the allocation size used during decompression (GitHub Advisory).

The vulnerability stems from the Bzip2 decoder's behavior of attempting to decompress the entire file before adding it to the output buffer, without implementing size restrictions. This design flaw allows for potential zip bomb attacks, as the decoder continues processing until it reaches the end of the file. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be exploited to trigger an Out of Memory Error (OOME), leading to a Denial of Service (DoS) attack. Testing has demonstrated that a maliciously crafted Bzip2 file could cause memory usage of up to 100GB, eventually crashing the process (JFrog Blog).

The vulnerability was patched in Netty version 4.1.68. The fix modifies the decoder function to return after processing each chunk, allowing the caller to handle the decompressed data in smaller portions. There are no workarounds for this issue, and users are strongly encouraged to upgrade to version 4.1.68 or later (GitHub Advisory).

Multiple organizations and vendors have responded to this vulnerability by issuing security advisories and patches, including NetApp, Debian, and Oracle. NetApp released patches for affected products and provided detailed advisories (NetApp Advisory). Debian included fixes in their security updates, addressing the vulnerability across multiple versions (Debian Advisory).