Bugzilla – Bug 1193672
VUL-0: CVE-2021-43797: netty3, netty: possible HTTP request smuggling due to insufficient validation against control characters
Last modified: 2022-09-15 13:20:21 UTC
CVE-2021-43797 Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch. Upstream fixing commit: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43797 https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
Vulnerable codestreams: netty: - SUSE:SLE-15-SP2:Update:Products:Manager41:Update - SUSE:SLE-15-SP3:Update:Products:Manager42:Update - SUSE:SLE-15-SP2:Update - openSUSE:Backports:SLE-15-SP2:Update - openSUSE:Backports:SLE-15-SP3:Update - openSUSE:Factory netty3: - SUSE:SLE-15-SP2:Update - openSUSE:Factory
This is an autogenerated message for OBS integration: This bug (1193672) was mentioned in https://build.opensuse.org/request/show/946202 Factory / netty
This is an autogenerated message for OBS integration: This bug (1193672) was mentioned in https://build.opensuse.org/request/show/967671 Factory / netty3
SUSE-SU-2022:1271-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1182103,1183262,1190610,1190613,1193672 CVE References: CVE-2021-21290,CVE-2021-21295,CVE-2021-37136,CVE-2021-37137,CVE-2021-43797 JIRA References: Sources used: openSUSE Leap 15.4 (src): netty-4.1.75-150200.4.6.2 openSUSE Leap 15.3 (src): netty-4.1.75-150200.4.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2047-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1193672,1197787 CVE References: CVE-2021-43797 JIRA References: Sources used: openSUSE Leap 15.4 (src): netty3-3.10.6-150200.3.3.2 openSUSE Leap 15.3 (src): netty3-3.10.6-150200.3.3.2 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): netty3-3.10.6-150200.3.3.2 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): netty3-3.10.6-150200.3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is still affected in: - SUSE:SLE-15-SP2:Update:Products:Manager41:Update - SUSE:SLE-15-SP3:Update:Products:Manager42:Update - SUSE:SLE-15-SP4:Update:Products:Manager43:Update Not sure if the suma team handles this usually or the bugowner? CCing Julio from suma team
The package we ship in SUSE Manager is not affected by this CVE. If you look at the linked netty security advisory and related commit, you'll see it affects module codec-http. This module is NOT part of the package, it is not built nor shipped. You can see that from the build command we use in the build.sh (in package https://build.suse.de/package/show/SUSE:SLE-15-SP4:Update:Products:Manager43/netty and it's the same for 4.2 and 4.1): mvn package --projects common,buffer,resolver,transport,codec,handler,transport-native-unix-common -DskipTests=true This translates to the following jars being packaged and installed: suma-ref41-srv:~ # find /usr/share/java/ -name "netty*" -type f /usr/share/java/netty-buffer-4.1.44.Final.jar /usr/share/java/netty-codec-4.1.44.Final.jar /usr/share/java/netty-common-4.1.44.Final.jar /usr/share/java/netty-handler-4.1.44.Final.jar /usr/share/java/netty-resolver-4.1.44.Final.jar /usr/share/java/netty-transport-4.1.44.Final.jar /usr/share/java/netty-transport-native-unix-common-4.1.44.Final.jar I was initially confused by the "codec" naming, but the module netty-codec-http is not part of our distribution.
(In reply to Thomas Florio from comment #16) > The package we ship in SUSE Manager is not affected by this CVE. If you look > at the linked netty security advisory and related commit, you'll see it > affects module codec-http. This module is NOT part of the package, it is not > built nor shipped. You can see that from the build command we use in the > build.sh (in package > https://build.suse.de/package/show/SUSE:SLE-15-SP4:Update:Products:Manager43/ > netty and it's the same for 4.2 and 4.1): > > mvn package --projects > common,buffer,resolver,transport,codec,handler,transport-native-unix-common > -DskipTests=true > > This translates to the following jars being packaged and installed: > > suma-ref41-srv:~ # find /usr/share/java/ -name "netty*" -type f > /usr/share/java/netty-buffer-4.1.44.Final.jar > /usr/share/java/netty-codec-4.1.44.Final.jar > /usr/share/java/netty-common-4.1.44.Final.jar > /usr/share/java/netty-handler-4.1.44.Final.jar > /usr/share/java/netty-resolver-4.1.44.Final.jar > /usr/share/java/netty-transport-4.1.44.Final.jar > /usr/share/java/netty-transport-native-unix-common-4.1.44.Final.jar > > I was initially confused by the "codec" naming, but the module > netty-codec-http is not part of our distribution. Indeed, thank you very much for this clarification. Closing