Apache Netty Denial-of-Service Vulnerability in Windows Applications

A denial-of-service vulnerability has been identified in Apache Netty, an asynchronous, event-driven network application framework, in versions prior to and including 4.1.118.Final. When running on a Windows application, Netty improperly reads the environment file, leading to a crash if an attacker creates a large file that fills the application's buffer. This issue arises because the initial fix for a similar vulnerability, CVE-2024-47535, was incomplete; it failed to account for null bytes in the input limit. The vulnerability can be exploited by creating a file filled with null bytes, which Netty's input stream handling will mismanage, causing the application to crash.

Impact

Exploitation of this vulnerability can cause a Netty application to crash, leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a file filled with null bytes and ensure it is larger than the application's buffer limit. When the file is loaded by Netty, the null bytes will be misinterpreted, causing the application to crash once the buffer is full.

Remediation

Users can upgrade to Apache Netty version 4.1.122.Final or later, where this vulnerability has been fixed.