Description

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

Remediation

References

http://www.openwall.com/lists/oss-security/2021/11/01/2

http://www.openwall.com/lists/oss-security/2021/11/01/8

https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2022-36906 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer

CVE-2022-36888 Vulnerability in maven package com.datapipe.jenkins.plugins:hashicorp-vault-plugin

CVE-2021-33040 Vulnerability in npm package epubjs

CVE-2019-13000 Vulnerability in maven package fr.acinq.eclair:eclair-core_2.11

CVE-2022-25923 Vulnerability in npm package exec-local-bin

Severity

High

Classification

CWE-835 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Tags

Mailing List Patch Third Party Advisory Vendor Advisory