Vulnerability Description
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | < 4.1.71 |
| Quarkus | Quarkus | < 2.5.3 |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Snapcenter | - |
| Oracle | Banking Deposits And Lines Of Credit Servicing | 2.7 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Coherence | 12.2.1.4.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 |
| Oracle | Communications Design Studio | 7.4.2 |
| Oracle | Communications Instant Messaging Server | 8.1 |
| Oracle | Helidon | 1.4.10 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323PatchThird Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqqThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220107-0003/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323PatchThird Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqqThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing ListThird Party Advisory
- https://security.netapp.com/advisory/ntap-20220107-0003/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-43797?
CVE-2021-43797 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control...
How severe is CVE-2021-43797?
CVE-2021-43797 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43797?
Check the references section above for vendor advisories and patch information. Affected products include: Netty Netty, Quarkus Quarkus, Netapp Oncommand Workflow Automation, Netapp Snapcenter, Oracle Banking Deposits And Lines Of Credit Servicing.