CVE-2022-41881 - Denial of Service (DoS)

Severity: High2023-02-01

Security Advisories

Abstract

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v25.0 and olderLow Oxygen XML Author 25.0 build 2023013006
Oxygen XML Developer v25.0 and olderLow Oxygen XML Developer 25.0 build 2023013006
Oxygen XML Editor v25.0 and olderLow Oxygen XML Editor 25.0 build 2023013006
Oxygen Content Fusion v5.0.2 and olderHigh Oxygen Content Fusion 5.0.3 build 2023022015

Mitigation

None

Detail

CVE-2022-41881

Severity: High

CVSS Score: 7.5

The Netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41881 vulnerability description.

Starting with Oxygen XML Author v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.

Revision History

2023-03-16 Starting with Oxygen Content Fusion version 5.0.3 build 2023022015, the Netty library was updated to version v4.1.86.Final, which includes a fix for CVE-2022-41881.

List of Security Advisories