CVE-2022-41881 - Denial of Service (DoS)
Severity: High2023-02-01
Abstract
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The Oxygen products incorporate Netty as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen XML Author v25.0 and older | Low | Oxygen XML Author 25.0 build 2023013006 |
| Oxygen XML Developer v25.0 and older | Low | Oxygen XML Developer 25.0 build 2023013006 |
| Oxygen XML Editor v25.0 and older | Low | Oxygen XML Editor 25.0 build 2023013006 |
| Oxygen Content Fusion v5.0.2 and older | High | Oxygen Content Fusion 5.0.3 build 2023022015 |
Detail
CVE-2022-41881
Severity: High
CVSS Score: 7.5
The Netty third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41881 vulnerability description.
Starting with Oxygen XML Author v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.
Starting with Oxygen XML Developer v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.
Starting with Oxygen XML Editor v25.0 build 2023013006 Netty library was updated to v4.1.86.Final which fixes this vulnerability.
