Resource exhaustion in Netapp Oncommand_insight
CVE-2021-37137
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory us…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.063 (92.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Netapp Oncommand_insight
- Netty
- Oracle Banking_apis — versions 19.1, 19.2, 20.1
- Oracle Banking_digital_experience — versions 18.1, 18.2, 18.3
- Oracle Commerce_guided_search — versions 11.3.2
- Oracle Communications_brm_-_elastic_charging_engine — versions 12.0.0.5.0
- Oracle Communications_cloud_native_core_binding_support_function — versions 1.10.0
- Oracle Communications_diameter_signaling_router
- Oracle Peoplesoft_enterprise_peopletools — versions 8.57, 8.58, 8.59
- Oracle Webcenter_portal — versions 12.2.1.3.0, 12.2.1.4.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- reefs@jfrog.com (Third Party Advisory)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (mailing-list)
- reefs@jfrog.com (Patch, Third Party Advisory)
- reefs@jfrog.com (Patch, Third Party Advisory)
- reefs@jfrog.com (Third Party Advisory)
Frequently asked questions
- What is CVE-2021-37137?
- CVE-2021-37137 is a high-severity vulnerability in Netapp Oncommand_insight, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2021-10-19.
- How severe is CVE-2021-37137?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2021-37137 known to be exploited?
- 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.