Netty Lz4FrameDecoder Resource Exhaustion Vulnerability

A resource exhaustion vulnerability has been identified in Netty versions prior to 4.2.13.Final and 4.1.133.Final. The issue arises in the Lz4FrameDecoder, which allocates a ByteBuf based on the decompressed length, potentially up to 32 MB per block, before the LZ4 decompression occurs. This allocation can be exploited by sending a 21-byte header plus a payload that exceeds the compressed length, forcing the decoder to allocate large amounts of memory. The vulnerability allows untrusted peers to send small, repeated requests that cumulatively consume significant memory resources, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting server memory, potentially leading to application crashes or degraded performance.

Reproduction

The vulnerability can be reproduced by setting up a Netty server that uses the Lz4FrameDecoder. Once the server is running, a client can be created to send a specially crafted payload that includes a 21-byte header and a compressed length that triggers the allocation of a 32 MB ByteBuf. This can be done using a test that connects to the server, sends the malicious payload, and then checks for memory exhaustion errors.

Remediation

Users can upgrade to Netty versions 4.2.13.Final or 4.1.133.Final to address this vulnerability.