CVE-2024-47535: 
Java vulnerability analysis and mitigation

CVE-2024-47535 is a vulnerability discovered in Netty, an asynchronous event-driven network application framework. The vulnerability was disclosed on November 12, 2024, affecting Netty versions up to 4.1.114. The issue stems from an unsafe reading of environment files in Windows applications, where Netty attempts to load non-existent files (GitHub Advisory, NVD).

The vulnerability occurs when Netty is loaded in a Windows application and attempts to identify the system environment. During this process, Netty tries to read both '/etc/os-release' and '/usr/lib/os-release' files, even in a Windows environment. The issue is that the implementation doesn't verify the OS before attempting to read these files. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

If exploited, this vulnerability can lead to a Denial of Service (DoS) condition. When an attacker creates a large file (larger than 1GB) in the specified paths, the Netty application crashes due to exceeding the JVM memory limit. This behavior occurs 100% of the time in both Server and Client modes if the large file exists (GitHub Advisory).

The vulnerability has been fixed in Netty version 4.1.115. Users are advised to upgrade to this patched version to mitigate the risk (GitHub Advisory, NVD).