https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Bug ID: 1937364 Summary: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, akurtako@redhat.com, alazarot@redhat.com, almorale@redhat.com, andjrobins@gmail.com, anstephe@redhat.com, aos-bugs@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bgeorges@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, clement.escoffier@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, dbhole@redhat.com, decathorpe@gmail.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, ebaron@redhat.com, eclipse-sig@lists.fedoraproject.org, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, fjuma@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gsmet@redhat.com, hamadhan@redhat.com, hhudgeon@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jcantril@redhat.com, jerboaa@gmail.com, jjohnstn@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jross@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kaycoth@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, lhh@redhat.com, loleary@redhat.com, lpeer@redhat.com, lthon@redhat.com, lzap@redhat.com, mat.booth@redhat.com, mburns@redhat.com, mkolesni@redhat.com, mmccune@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, nmoumoul@redhat.com, nstielau@redhat.com, nwallace@redhat.com, pcreech@redhat.com, pdrozd@redhat.com, peholase@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, probinso@redhat.com, rchan@redhat.com, rgodfrey@redhat.com, rgrunber@redhat.com, rguimara@redhat.com, rjerrido@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sbiarozk@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, sd-operator-metering@redhat.com, sdouglas@redhat.com, slinaber@redhat.com, smaestri@redhat.com, sochotni@redhat.com, sokeeffe@redhat.com, spinder@redhat.com, sponnaga@redhat.com, sthorger@redhat.com, swoodman@redhat.com, tbrisker@redhat.com, tflannag@redhat.com, theute@redhat.com, tom.jenkinson@redhat.com, yborgess@redhat.com Target Milestone: --- Classification: Other
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
Reference: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
Upstream patch: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3d...
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1937367 Depends On| |1937366, 1937365
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1937365 [Bug 1937365] CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1937366 [Bug 1937366] CVE-2021-21295 eclipse: netty: possible request smuggling in HTTP/2 due missing validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created eclipse tracking bugs for this issue:
Affects: fedora-all [bug 1937366]
Created netty tracking bugs for this issue:
Affects: fedora-all [bug 1937365]
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #5 from Ted (Jong Seok) Won jwon@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat Data Grid 7 * Red Hat JBoss AMQ 6 * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1927083
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1927084
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1938226
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1927085
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |netty-codec-http | |4.1.60.Final
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Przemyslaw Roguski proguski@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1938252
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #7 from Przemyslaw Roguski proguski@redhat.com --- External References:
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Yadnyawalk Tale ytale@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1938318
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #11 from Anten Skrabec askrabec@redhat.com --- Statement:
Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #12 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat AMQ Online as having a low impact, although vulnerable versions of netty are distributed and used none of the affected functionality is ever exposed publicly, one of the prerequisites of this flaw is that an attacker has the ability to alter http requests, as netty in AMQ Online does not handle user HTTP requests this prerequisite is not present, another prerequisite of this flaw is malicious http2 requests later go onto be proxied eg. load balanced, neither is true in AMQ Online.
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Online 1.7.0 GA
Via RHSA-2021:0986 https://access.redhat.com/errata/RHSA-2021:0986
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-03-25 11:35:47
--- Comment #15 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-21295
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Florencio Cano fcanogab@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1943715, 1943714, 1943713, | |1943716
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat build of Eclipse Vert.x 4.0.3
Via RHSA-2021:0943 https://access.redhat.com/errata/RHSA-2021:0943
https://bugzilla.redhat.com/show_bug.cgi?id=1937364 Bug 1937364 depends on bug 1937366, which changed state.
Bug 1937366 Summary: CVE-2021-21295 eclipse: netty: possible request smuggling in HTTP/2 due missing validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1937366
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
AMQ Clients 2.y for RHEL 7 AMQ Clients 2.y for RHEL 8
Via RHSA-2021:1511 https://access.redhat.com/errata/RHSA-2021:1511
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On 7.4.7
Via RHSA-2021:2070 https://access.redhat.com/errata/RHSA-2021:2070
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Data Grid 8.2.0
Via RHSA-2021:2139 https://access.redhat.com/errata/RHSA-2021:2139
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.8.2
Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2689
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2755
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.8.0
Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3656
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #34 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3658
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
EAP 7.4.1 release
Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3660
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #36 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.9.0
Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3700
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #37 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat build of Quarkus 2.2.3
Via RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3880
https://bugzilla.redhat.com/show_bug.cgi?id=1937364 Bug 1937364 depends on bug 1937365, which changed state.
Bug 1937365 Summary: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1937365
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #38 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
--- Comment #39 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8
Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5498
eclipse-sig@lists.fedoraproject.org