Bug 1183262 - (CVE-2021-21295) VUL-0: CVE-2021-21295: netty: HTTP/2 request Content-Length header field is not validated by `Http2MultiplexHandler`
VUL-0: CVE-2021-21295: netty: HTTP/2 request Content-Length header field is n...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-03-10 08:07 UTC by Alexander Bergmann
Modified: 2022-08-12 12:23 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-03-10 08:07:42 UTC

Netty is an open-source, asynchronous event-driven network application framework
for rapid development of maintainable high performance protocol servers &
clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there
is a vulnerability that enables request smuggling. If a Content-Length header is
present in the original HTTP/2 request, the field is not validated by
`Http2MultiplexHandler` as it is propagated up. This is fine as long as the
request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2
stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,
`HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to
the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this
may result in request smuggling. In a proxy case, users may assume the
content-length is validated somehow, which is not the case. If the request is
forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length
now has meaning and needs to be checked. An attacker can smuggle requests inside
the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack
refer to the linked GitHub Advisory. Users are only affected if all of this is
true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used,
`Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and
these HTTP/1.1 objects are forwarded to another remote peer. This has been
patched in 4.1.60.Final As a workaround, the user can do the validation by
themselves by implementing a custom `ChannelInboundHandler` that is put in the
`ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.

Comment 1 OBSbugzilla Bot 2021-03-12 09:10:07 UTC
This is an autogenerated message for OBS integration:
This bug (1183262) was mentioned in
https://build.opensuse.org/request/show/878486 Factory / netty
Comment 3 OBSbugzilla Bot 2021-03-12 16:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1183262) was mentioned in
https://build.opensuse.org/request/show/878593 Factory / netty
Comment 4 Swamp Workflow Management 2021-03-19 17:19:51 UTC
openSUSE-SU-2021:0448-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1183262
CVE References: CVE-2021-21295
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    netty-4.1.13-lp152.3.3.1
Comment 5 Fridrich Strba 2022-04-07 09:51:17 UTC
Comment 6 Swamp Workflow Management 2022-04-20 10:27:15 UTC
SUSE-SU-2022:1271-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1182103,1183262,1190610,1190613,1193672
CVE References: CVE-2021-21290,CVE-2021-21295,CVE-2021-37136,CVE-2021-37137,CVE-2021-43797
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    netty-4.1.75-150200.4.6.2
openSUSE Leap 15.3 (src):    netty-4.1.75-150200.4.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.