Bug 1937364 (CVE-2021-21295)
Summary: | CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, aileenc, akoufoud, akurtako, alazarot, almorale, andjrobins, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dbhole, dkreling, dosoudil, drieden, ebaron, eclipse-sig, eleandro, eparis, etirelli, extras-orphan, fjuma, ganandan, ggaughan, gmalinko, gsmet, hamadhan, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jburrell, jcantril, jerboaa, jjohnstn, jjoyce, jochrist, jokerman, jpallich, jperkins, jross, jschluet, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, lef, lgao, lhh, loleary, lpeer, lthon, lzap, mburns, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, nmoumoul, nstielau, nwallace, pcreech, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, rchan, rgodfrey, rgrunber, rguimara, rjerrido, rrajasek, rruss, rstancel, rsvoboda, rsynek, sbiarozk, sclewis, scohen, sdaley, sd-operator-metering, sdouglas, slinaber, smaestri, sochotni, sokeeffe, spinder, sponnaga, sthorger, swoodman, theute, tom.jenkinson, yborgess |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | netty-codec-http 4.1.60.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-25 11:35:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1943713, 1943714, 1943715, 1943716, 1927083, 1927084, 1927085, 1937365, 1937366, 1938226, 1938252, 1938318 | ||
Bug Blocks: | 1937367 |
Description
Guilherme de Almeida Suckevicz
2021-03-10 13:34:13 UTC
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1937366] Created netty tracking bugs for this issue: Affects: fedora-all [bug 1937365] This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat Data Grid 7 * Red Hat JBoss AMQ 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. External References: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj Statement: Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws. Marking Red Hat AMQ Online as having a low impact, although vulnerable versions of netty are distributed and used none of the affected functionality is ever exposed publicly, one of the prerequisites of this flaw is that an attacker has the ability to alter http requests, as netty in AMQ Online does not handle user HTTP requests this prerequisite is not present, another prerequisite of this flaw is malicious http2 requests later go onto be proxied eg. load balanced, neither is true in AMQ Online. This issue has been addressed in the following products: Red Hat AMQ Online 1.7.0 GA Via RHSA-2021:0986 https://access.redhat.com/errata/RHSA-2021:0986 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21295 This issue has been addressed in the following products: Red Hat build of Eclipse Vert.x 4.0.3 Via RHSA-2021:0943 https://access.redhat.com/errata/RHSA-2021:0943 This issue has been addressed in the following products: AMQ Clients 2.y for RHEL 7 AMQ Clients 2.y for RHEL 8 Via RHSA-2021:1511 https://access.redhat.com/errata/RHSA-2021:1511 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:2051 https://access.redhat.com/errata/RHSA-2021:2051 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:2047 https://access.redhat.com/errata/RHSA-2021:2047 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:2046 https://access.redhat.com/errata/RHSA-2021:2046 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:2048 https://access.redhat.com/errata/RHSA-2021:2048 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.7 Via RHSA-2021:2070 https://access.redhat.com/errata/RHSA-2021:2070 This issue has been addressed in the following products: Red Hat Data Grid 8.2.0 Via RHSA-2021:2139 https://access.redhat.com/errata/RHSA-2021:2139 This issue has been addressed in the following products: Red Hat AMQ 7.8.2 Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689 This issue has been addressed in the following products: Red Hat EAP-XP 2.0.0 via EAP 7.3.x base Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755 This issue has been addressed in the following products: Red Hat AMQ Streams 1.8.0 Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658 This issue has been addressed in the following products: EAP 7.4.1 release Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660 This issue has been addressed in the following products: Red Hat AMQ 7.9.0 Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700 This issue has been addressed in the following products: Red Hat build of Quarkus 2.2.3 Via RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498 |