Bugzilla – Bug 1183262
VUL-0: CVE-2021-21295: netty: HTTP/2 request Content-Length header field is not validated by `Http2MultiplexHandler`
Last modified: 2022-09-15 13:30:26 UTC
CVE-2021-21295 Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295 https://github.com/Netflix/zuul/pull/980 https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
This is an autogenerated message for OBS integration: This bug (1183262) was mentioned in https://build.opensuse.org/request/show/878486 Factory / netty
This is an autogenerated message for OBS integration: This bug (1183262) was mentioned in https://build.opensuse.org/request/show/878593 Factory / netty
openSUSE-SU-2021:0448-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1183262 CVE References: CVE-2021-21295 JIRA References: Sources used: openSUSE Leap 15.2 (src): netty-4.1.13-lp152.3.3.1
fixed
SUSE-SU-2022:1271-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1182103,1183262,1190610,1190613,1193672 CVE References: CVE-2021-21290,CVE-2021-21295,CVE-2021-37136,CVE-2021-37137,CVE-2021-43797 JIRA References: Sources used: openSUSE Leap 15.4 (src): netty-4.1.75-150200.4.6.2 openSUSE Leap 15.3 (src): netty-4.1.75-150200.4.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
As commented as well in https://bugzilla.suse.com/show_bug.cgi?id=1193672#c16 the package we ship with SUSE Manager is not affected by this CVE. This is in fact related to the netty modules codec-http and codec-http2, which we do not ship nor build. Please see the other comment for more pieces of information.
(In reply to Thomas Florio from comment #10) > As commented as well in > https://bugzilla.suse.com/show_bug.cgi?id=1193672#c16 the package we ship > with SUSE Manager is not affected by this CVE. This is in fact related to > the netty modules codec-http and codec-http2, which we do not ship nor > build. Please see the other comment for more pieces of information. Thanks Thomas. Closing