Vulnerability Description
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | < 4.1.61 |
| Debian | Debian Linux | 10.0 |
| Netapp | Oncommand Api Services | - |
| Netapp | Oncommand Workflow Automation | - |
| Oracle | Banking Corporate Lending Process Management | 14.2.0 |
| Oracle | Banking Credit Facilities Process Management | 14.2.0 |
| Oracle | Banking Trade Finance Process Management | 14.2.0 |
| Oracle | Coherence | 12.2.1.4.0 |
| Oracle | Communications Brm - Elastic Charging Engine | 12.0.0.3 |
| Oracle | Communications Cloud Native Core Console | 1.7.0 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Design Studio | 7.4.2.0.0 |
| Oracle | Communications Messaging Server | 8.1 |
| Oracle | Helidon | 1.4.10 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.6.3 |
| Oracle | Nosql Database | < 21.1.12 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Quarkus | Quarkus | <= 1.13.7 |
Related Weaknesses (CWE)
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295Third Party Advisory
- https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432PatchThird Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32Third Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpjThird Party Advisory
- https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576
- https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e1
- https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1
- https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05
- https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44
- https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e
- https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c4071
- https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a
- https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a2
- https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca86243
- https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c6373
FAQ
What is CVE-2021-21409?
CVE-2021-21409 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2...
How severe is CVE-2021-21409?
CVE-2021-21409 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21409?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Debian Debian Linux, Netapp Oncommand Api Services, Netapp Oncommand Workflow Automation, Oracle Banking Corporate Lending Process Management.