netty netty CVE-2021-43797 vulnerability in Netty and Other Products
Published on December 9, 2021

HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling

product logo product logo product logo product logo product logo product logo
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-43797 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2021-43797 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Products Associated with CVE-2021-43797

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-43797 are published in these products:

Netty
 
Quarkus
 
NetApp Oncommand Workflow Automation
 
NetApp Snapcenter
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Coherence
 
Oracle Communications Cloud Native Core Security Edge Protection Proxy
 
Oracle Communications Cloud Native Core Policy
 
Oracle Communications Cloud Native Core Unified Data Repository
 
Oracle Communications Cloud Native Core Network Slice Selection Function
 
Oracle Communications Cloud Native Core Binding Support Function
 
Oracle Helidon
 
Oracle Communications Instant Messaging Server
 
Oracle Banking Platform
 
Oracle Banking Party Management
 
Oracle Communications Design Studio
 
Oracle Banking Deposits Lines Credit Servicing
 
Debian Linux
 
Canonical Ubuntu Linux
 

Affected Versions

netty Version <= 4.1.7.0.Final is affected by CVE-2021-43797

Exploit Probability

EPSS
0.38%
Percentile
59.07%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.