Your submission was sent successfully! Close

CVE-2016-4970

Published: 13 April 2017

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
netty
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1:4.0.37-1)
bionic Not vulnerable
(1:4.0.37-1)
cosmic Not vulnerable
(1:4.0.37-1)
disco Not vulnerable
(1:4.0.37-1)
eoan Not vulnerable
(1:4.0.37-1)
focal Not vulnerable
(1:4.0.37-1)
groovy Not vulnerable
(1:4.0.37-1)
hirsute Not vulnerable
(1:4.0.37-1)
impish Not vulnerable
(1:4.0.37-1)
jammy Not vulnerable
(1:4.0.37-1)
precise Does not exist
(precise was not-affected)
trusty Not vulnerable

upstream
Released (1:4.0.37-1)
wily Not vulnerable

xenial Ignored
(end of standard support, was needed)
yakkety Not vulnerable
(1:4.0.37-1)
zesty Not vulnerable
(1:4.0.37-1)

Notes

AuthorNote
seth-arnold
Users can use -Djdk.tls.rejectClientInitiatedRenegotiation=true to
disable renegotiation and avoid this issue.
Versions affected: Netty 4.0.0.Final - 4.0.36.Final and 4.1.0.Final

References

Bugs