2020-12-22 16:02:19 +00:00
{
"CVE_data_meta" : {
2021-03-09 11:32:23 -07:00
"ASSIGNER" : "security-advisories@github.com" ,
2020-12-22 16:02:19 +00:00
"ID" : "CVE-2021-21295" ,
2021-03-09 11:32:23 -07:00
"STATE" : "PUBLIC" ,
"TITLE" : "Possible request smuggling in HTTP/2 due missing validation"
2020-12-22 16:02:19 +00:00
} ,
2021-03-09 11:32:23 -07:00
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "io.netty:netty-codec-http2" ,
"version" : {
"version_data" : [
{
"version_value" : "< 4.1.60.Final"
}
]
}
}
]
} ,
"vendor_name" : "netty"
}
]
}
} ,
"data_format" : "MITRE" ,
"data_type" : "CVE" ,
"data_version" : "4.0" ,
2020-12-22 16:02:19 +00:00
"description" : {
"description_data" : [
{
"lang" : "eng" ,
2021-03-09 19:01:01 +00:00
"value" : "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`."
2020-12-22 16:02:19 +00:00
}
]
2021-03-09 11:32:23 -07:00
} ,
"impact" : {
"cvss" : {
"attackComplexity" : "HIGH" ,
"attackVector" : "NETWORK" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 5.9 ,
"baseSeverity" : "MEDIUM" ,
"confidentialityImpact" : "NONE" ,
"integrityImpact" : "HIGH" ,
"privilegesRequired" : "NONE" ,
"scope" : "UNCHANGED" ,
"userInteraction" : "NONE" ,
"vectorString" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" ,
"version" : "3.1"
}
} ,
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng" ,
"value" : "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"
}
]
}
]
} ,
"references" : {
"reference_data" : [
{
"name" : "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" ,
"refsource" : "CONFIRM" ,
"url" : "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
} ,
{
"name" : "https://github.com/Netflix/zuul/pull/980" ,
"refsource" : "MISC" ,
"url" : "https://github.com/Netflix/zuul/pull/980"
} ,
{
"name" : "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" ,
"refsource" : "MISC" ,
"url" : "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4"
2021-03-17 12:00:54 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E"
2021-03-17 19:00:45 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E"
2021-03-18 05:00:49 +00:00
} ,
{
"refsource" : "MISC" ,
"name" : "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E" ,
"url" : "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E"
} ,
{
"refsource" : "MISC" ,
"name" : "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E" ,
"url" : "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E"
2021-03-18 07:00:47 +00:00
} ,
{
"refsource" : "MISC" ,
"name" : "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E" ,
"url" : "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E"
2021-03-18 08:00:45 +00:00
} ,
{
"refsource" : "MISC" ,
"name" : "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E" ,
"url" : "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E"
2021-03-29 14:00:40 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290" ,
"url" : "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E"
2021-03-29 17:00:38 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final" ,
"url" : "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E"
2021-03-30 04:00:37 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290" ,
"url" : "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E"
2021-03-30 11:00:38 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final" ,
"url" : "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E"
2021-03-30 17:00:37 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E"
2021-03-31 09:00:40 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E"
2021-03-31 10:00:38 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E"
} ,
{
"refsource" : "MLIST" ,
"name" : "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E"
2021-03-31 12:00:43 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E"
} ,
{
"refsource" : "MISC" ,
"name" : "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E" ,
"url" : "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E"
2021-03-31 13:00:39 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295" ,
"url" : "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E"
2021-03-09 11:32:23 -07:00
}
]
} ,
"source" : {
"advisory" : "GHSA-wm47-8v5p-wjpj" ,
"discovery" : "UNKNOWN"
2020-12-22 16:02:19 +00:00
}
}
