[eclipse-sig] [Bug 1944888] New: CVE-2021-21409 netty: Request smuggling via content-length header

Tuesday, 30 March 2021

https://bugzilla.redhat.com/show_bug.cgi?id=1944888

            Bug ID: 1944888
           Summary: CVE-2021-21409 netty: Request smuggling via
                    content-length header
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team(a)redhat.com
          Reporter: psampaio(a)redhat.com
                CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
                    akoufoud(a)redhat.com, akurtako(a)redhat.com,
                    alazarot(a)redhat.com, almorale(a)redhat.com,
                    andjrobins(a)gmail.com, anstephe(a)redhat.com,
                    aos-bugs(a)redhat.com, asoldano(a)redhat.com,
                    atangrin(a)redhat.com, ataylor(a)redhat.com,
                    avibelli(a)redhat.com, bbaranow(a)redhat.com,
                    bbuckingham(a)redhat.com, bcourt(a)redhat.com,
                    bgeorges(a)redhat.com, bkearney(a)redhat.com,
                    bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
                    brian.stansberry(a)redhat.com, btotty(a)redhat.com,
                    cdewolf(a)redhat.com, chazlett(a)redhat.com,
                    clement.escoffier(a)redhat.com, dandread(a)redhat.com,
                    darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
                    dbhole(a)redhat.com, dkreling(a)redhat.com,
                    dosoudil(a)redhat.com, drieden(a)redhat.com,
                    ebaron(a)redhat.com,
                    eclipse-sig(a)lists.fedoraproject.org,
                    eleandro(a)redhat.com, eparis(a)redhat.com,
                    etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org,
                    fjuma(a)redhat.com, ggaughan(a)redhat.com,
                    gmalinko(a)redhat.com, gsmet(a)redhat.com,
                    hamadhan(a)redhat.com, hhudgeon(a)redhat.com,
                    ibek(a)redhat.com, iweiss(a)redhat.com,
                    janstey(a)redhat.com,
                    java-sig-commits(a)lists.fedoraproject.org,
                    jburrell(a)redhat.com, jcantril(a)redhat.com,
                    jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
                    jjoyce(a)redhat.com, jochrist(a)redhat.com,
                    jokerman(a)redhat.com, jpallich(a)redhat.com,
                    jperkins(a)redhat.com, jross(a)redhat.com,
                    jschluet(a)redhat.com, jstastny(a)redhat.com,
                    jwon(a)redhat.com, kaycoth(a)redhat.com,
                    krathod(a)redhat.com, kverlaen(a)redhat.com,
                    kwills(a)redhat.com, lef(a)fedoraproject.org,
                    lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
                    lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
                    mat.booth(a)gmail.com, mburns(a)redhat.com,
                    mkolesni(a)redhat.com, mmccune(a)redhat.com,
                    mnovotny(a)redhat.com, msochure(a)redhat.com,
                    msvehla(a)redhat.com, mszynkie(a)redhat.com,
                    nmoumoul(a)redhat.com, nstielau(a)redhat.com,
                    nwallace(a)redhat.com, pcreech(a)redhat.com,
                    pdrozd(a)redhat.com, peholase(a)redhat.com,
                    pgallagh(a)redhat.com, pjindal(a)redhat.com,
                    pmackay(a)redhat.com, probinso(a)redhat.com,
                    rchan(a)redhat.com, rgodfrey(a)redhat.com,
                    rgrunber(a)redhat.com, rguimara(a)redhat.com,
                    rjerrido(a)redhat.com, rrajasek(a)redhat.com,
                    rruss(a)redhat.com, rstancel(a)redhat.com,
                    rsvoboda(a)redhat.com, rsynek(a)redhat.com,
                    sbiarozk(a)redhat.com, sclewis(a)redhat.com,
                    scohen(a)redhat.com, sdaley(a)redhat.com,
                    sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com,
                    slinaber(a)redhat.com, smaestri(a)redhat.com,
                    sochotni(a)redhat.com, sokeeffe(a)redhat.com,
                    spinder(a)redhat.com, sponnaga(a)redhat.com,
                    sthorger(a)redhat.com, swoodman(a)redhat.com,
                    tbrisker(a)redhat.com, tflannag(a)redhat.com,
                    theute(a)redhat.com, tom.jenkinson(a)redhat.com,
                    yborgess(a)redhat.com
  Target Milestone: ---
    Classification: Other

Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.61.Final there is a vulnerability that enables request smuggling. The
content-length header is not correctly validated if the request only uses a
single Http2HeaderFrame with the endStream set to to true. This could lead to
request smuggling if the request is proxied to a remote peer and translated to
HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did
miss to fix this one case. This was fixed as part of 4.1.61.Final.

References:

https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38d...
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj

-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

[eclipse-sig] [Bug 1944888] New: CVE-2021-21409 netty: Request smuggling via content-length header