Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

N/A

不加限制或调节的资源分配

Netty 安全漏洞

Netty是Netty社区的一款非阻塞I/O客户端-服务器框架，它主要用于开发Java网络应用程序，如协议服务器和客户端等。 Netty 4.1.132.Final之前版本和4.2.10.Final之前版本存在安全漏洞，该漏洞源于缺少CONTINUATION帧数量限制，可能导致远程用户通过发送大量CONTINUATION帧触发拒绝服务攻击。

N/A

N/A