Resource exhaustion in Netapp Oncommand_insight
CVE-2021-37136
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.057 (92.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Netapp Oncommand_insight
- Netty
- Oracle Banking_apis — versions 19.1, 19.2, 20.1
- Oracle Banking_digital_experience — versions 18.1, 18.2, 18.3
- Oracle Coherence — versions 12.2.1.4.0, 14.1.1.0.0
- Oracle Commerce_guided_search — versions 11.3.2
- Oracle Communications_brm_-_elastic_charging_engine — versions 12
- Oracle Communications_cloud_native_core_binding_support_function — versions 1.10.0, 1.11.0
- Oracle Communications_cloud_native_core_network_slice_selection_function — versions 1.8.0
- Oracle Communications_cloud_native_core_policy — versions 1.15.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- reefs@jfrog.com (Third Party Advisory)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (Patch, Third Party Advisory)
- reefs@jfrog.com (Patch, Third Party Advisory)
- reefs@jfrog.com (Third Party Advisory)
Frequently asked questions
- What is CVE-2021-37136?
- CVE-2021-37136 is a high-severity vulnerability in Netapp Oncommand_insight, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2021-10-19.
- How severe is CVE-2021-37136?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2021-37136 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.