CVE-2022-41881 - Vulnerability Details

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Netty	Netty
Redhat	Camel Quarkus Camel Spring Boot Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Fuse Migration Toolkit Applications Migration Toolkit Runtimes Openshift Application Runtimes Quarkus Red Hat Single Sign On Rhosemc

Configuration 1 [-]

cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Package	CPE	Advisory	Released Date
CEQ 2.13.2-1
codec-haproxy	cpe:/a:redhat:camel_quarkus:2.13	RHSA-2023:0888	2023-02-21T00:00:00Z
EAP 7.4.10 release
codec-haproxy	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2023:1516	2023-03-29T00:00:00Z
Migration Toolkit for Runtimes 1 on RHEL 8
mtr/mtr-web-container-rhel8:1.1-7	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2023:3373	2023-05-31T00:00:00Z
io.netty-netty-parent	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2023:3374	2023-05-31T00:00:00Z
org.jboss.windup.plugin-windup-maven-plugin-parent	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2023:3374	2023-05-31T00:00:00Z
MTA-6.2-RHEL-9
mta/mta-windup-addon-rhel9:6.2.0-11	cpe:/a:redhat:migration_toolkit_applications:6.2::el9	RHSA-2023:4627	2023-08-14T00:00:00Z
Red Hat build of Eclipse Vert.x 4.3.7
codec-haproxy	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2023:0577	2023-02-16T00:00:00Z
Red Hat build of Quarkus
	cpe:/a:redhat:quarkus:2.13	RHSA-2023:0758	2023-02-14T00:00:00Z
Red Hat Data Grid 8.4.1
codec-haproxy	cpe:/a:redhat:jboss_data_grid:8	RHSA-2023:0713	2023-02-09T00:00:00Z
Red Hat Fuse 7.12
codec-haproxy	cpe:/a:redhat:jboss_fuse:7	RHSA-2023:3954	2023-06-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:1746	2025-02-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:1747	2025-02-24T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2023:1513	2023-03-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2023:1514	2023-03-29T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2023:1512	2023-03-29T00:00:00Z
Red Hat Single Sign-On 7
codec-haproxy	cpe:/a:redhat:red_hat_single_sign_on:7.6.3	RHSA-2023:2713	2023-05-10T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2023:2705	2023-05-10T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2023:2706	2023-05-10T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2023:2707	2023-05-10T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso76-openshift-rhel8:7.6-22	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:2710	2023-05-10T00:00:00Z
RHINT Camel-Springboot 3.20.1
codec-haproxy	cpe:/a:redhat:camel_spring_boot:3.20.1	RHSA-2023:2100	2023-05-03T00:00:00Z

References

Link	Providers
https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
https://nvd.nist.gov/vuln/detail/CVE-2022-41881
https://security.netapp.com/advisory/ntap-20230113-0004/
https://www.cve.org/CVERecord?id=CVE-2022-41881
https://www.debian.org/security/2023/dsa-5316

History

Tue, 25 Feb 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-12T00:00:00

Updated: 2024-08-03T12:56:38.229Z

Reserved: 2022-09-30T00:00:00

Link: CVE-2022-41881

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-12T18:15:12.773

Modified: 2024-11-21T07:23:58.807

Link: CVE-2022-41881

Redhat

Severity : Moderate

Publid Date: 2022-12-12T00:00:00Z

Links: CVE-2022-41881 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:56:38.229Z", "dateReserved": "2022-09-30T00:00:00", "datePublished": "2022-12-12T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-13T00:00:00"}, "descriptions": [{"lang": "en", "value": "Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder."}], "affected": [{"vendor": "netty", "product": "netty", "versions": [{"version": "< 4.1.86.Final", "status": "affected"}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v"}, {"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"}, {"name": "DSA-5316", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5316"}, {"url": "https://security.netapp.com/advisory/ntap-20230113-0004/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "cweId": "CWE-674"}]}], "source": {"advisory": "GHSA-fx2c-96vj-985v", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.229Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"}, {"name": "DSA-5316", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5316"}, {"url": "https://security.netapp.com/advisory/ntap-20230113-0004/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "matchCriteriaId": "23E33B4F-0C2C-4943-B9EE-9E446C3BE7FD", "versionEndExcluding": "4.1.86", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder."}, {"lang": "es", "value": "El proyecto Netty es un framework de aplicaci\u00f3n de red as\u00edncrona impulsado por eventos. En versiones anteriores a la 4.1.86.Final, se puede generar un StackOverflowError al analizar un mensaje manipulado con formato incorrecto debido a una recursividad infinita. Este problema se solucion\u00f3 en la versi\u00f3n 4.1.86.Final. No existe ning\u00fan workaround, excepto utilizar un HaProxyMessageDecoder personalizado."}], "id": "CVE-2022-41881", "lastModified": "2024-11-21T07:23:58.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-12T18:15:12.773", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230113-0004/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5316"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230113-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5316"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0888", "cpe": "cpe:/a:redhat:camel_quarkus:2.13", "package": "codec-haproxy", "product_name": "CEQ 2.13.2-1", "release_date": "2023-02-21T00:00:00Z"}, {"advisory": "RHSA-2023:1516", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "codec-haproxy", "product_name": "EAP 7.4.10 release", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:3373", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.1-7", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-05-31T00:00:00Z"}, {"advisory": "RHSA-2023:3374", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "io.netty-netty-parent", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-05-31T00:00:00Z"}, {"advisory": "RHSA-2023:3374", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "org.jboss.windup.plugin-windup-maven-plugin-parent", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-05-31T00:00:00Z"}, {"advisory": "RHSA-2023:4627", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.0-11", "product_name": "MTA-6.2-RHEL-9", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:0577", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "codec-haproxy", "product_name": "Red Hat build of Eclipse Vert.x 4.3.7", "release_date": "2023-02-16T00:00:00Z"}, {"advisory": "RHSA-2023:0758", "cpe": "cpe:/a:redhat:quarkus:2.13", "product_name": "Red Hat build of Quarkus", "release_date": "2023-02-14T00:00:00Z"}, {"advisory": "RHSA-2023:0713", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "codec-haproxy", "product_name": "Red Hat Data Grid 8.4.1", "release_date": "2023-02-09T00:00:00Z"}, {"advisory": "RHSA-2023:3954", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "codec-haproxy", "product_name": "Red Hat Fuse 7.12", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1746", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2025:1747", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2025-02-24T00:00:00Z"}, {"advisory": "RHSA-2023:1513", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1514", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1512", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:2713", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.3", "package": "codec-haproxy", "product_name": "Red Hat Single Sign-On 7", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2705", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2706", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2707", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2710", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-22", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "codec-haproxy", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", "id": "2153379", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-674", "details": ["Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.", "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS)."], "name": "CVE-2022-41881", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Will not fix", "package_name": "codec-haproxy", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Affected", "package_name": "io.netty-netty-parent", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Affected", "package_name": "org.jboss.windup.plugin-windup-maven-plugin-parent", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Affected", "package_name": "org.jboss.windup-windup-parent", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "org.jboss.windup-windup-parent", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "codec-haproxy", "product_name": "Red Hat build of Debezium 1"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "codec-haproxy", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "codec-haproxy", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "codec-haproxy", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "codec-haproxy", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "codec-haproxy", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "codec-haproxy", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-12-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-41881\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41881"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object