Bug 2031958 (CVE-2021-43797)

Summary: CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, caswilli, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, etirelli, ewolinet, extras-orphan, fjuma, ggastald, ggaughan, gmalinko, gsmet, hamadhan, ibek, iweiss, janstey, java-sig-commits, jburrell, jcantril, jerboaa, jjoyce, jochrist, jpallich, jperkins, jrokos, jross, jschluet, jsherril, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, lgao, lhh, loleary, lpeer, lthon, lzap, mburns, mhulan, mkolesni, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, orabin, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, rchan, rgodfrey, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sclewis, scohen, sd-operator-metering, sdouglas, slinaber, smaestri, spinder, sponnaga, sthorger, swoodman, theute, tom.jenkinson, tzimanyi, vkumar, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: netty-codec-http 4.1.72.Final Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-14 13:47:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2031959, 2033638    
Bug Blocks: 2031960    

Description Guilherme de Almeida Suckevicz 2021-12-13 19:17:52 UTC
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch.

Reference:
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq

Upstream patch:
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323

Comment 1 Guilherme de Almeida Suckevicz 2021-12-13 19:18:21 UTC
Created netty tracking bugs for this issue:

Affects: fedora-all [bug 2031959]

Comment 6 Jonathan Christison 2021-12-17 16:04:09 UTC
Marking the Red Hat AMQ Broker as having a low impact, although a vulnerable version of netty is distributed its use of netty is not as a proxy to any other http servers which is a prerequisite of the flaw.

Comment 17 errata-xmlrpc 2022-02-14 13:08:06 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.3.0

Via RHSA-2022:0520 https://access.redhat.com/errata/RHSA-2022:0520

Comment 18 Product Security DevOps Team 2022-02-14 13:47:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43797

Comment 21 errata-xmlrpc 2022-04-13 11:27:05 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.1.0

Via RHSA-2022:1345 https://access.redhat.com/errata/RHSA-2022:1345

Comment 22 errata-xmlrpc 2022-05-11 18:50:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Logging 5.4

Via RHSA-2022:2216 https://access.redhat.com/errata/RHSA-2022:2216

Comment 23 errata-xmlrpc 2022-05-11 19:52:14 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2022:2218 https://access.redhat.com/errata/RHSA-2022:2218

Comment 24 errata-xmlrpc 2022-05-11 20:33:21 UTC
This issue has been addressed in the following products:

  OpenShift Logging 5.3

Via RHSA-2022:2217 https://access.redhat.com/errata/RHSA-2022:2217

Comment 25 errata-xmlrpc 2022-05-18 10:56:25 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.5

Via RHSA-2022:4623 https://access.redhat.com/errata/RHSA-2022:4623

Comment 26 errata-xmlrpc 2022-06-06 15:11:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922

Comment 27 errata-xmlrpc 2022-06-06 15:51:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918

Comment 28 errata-xmlrpc 2022-06-06 15:58:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919

Comment 29 errata-xmlrpc 2022-06-16 14:54:01 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.10.0

Via RHSA-2022:5101 https://access.redhat.com/errata/RHSA-2022:5101

Comment 30 errata-xmlrpc 2022-07-05 14:27:01 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498

Comment 31 errata-xmlrpc 2022-07-07 14:21:43 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 32 errata-xmlrpc 2022-08-04 04:47:38 UTC
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903

Comment 33 errata-xmlrpc 2022-10-04 15:37:19 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782

Comment 34 errata-xmlrpc 2022-10-04 15:41:13 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783

Comment 35 errata-xmlrpc 2022-10-04 15:53:25 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787

Comment 36 errata-xmlrpc 2022-11-03 14:51:18 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410

Comment 37 errata-xmlrpc 2022-11-03 14:51:38 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409

Comment 38 errata-xmlrpc 2022-11-03 14:52:27 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411

Comment 39 errata-xmlrpc 2022-11-03 15:14:57 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6.1

Via RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417