CVE-2021-21295
Possible request smuggling in HTTP/2 due missing validation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
Netty es un framework de aplicación de red de código abierto y controlado por eventos asíncronos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. En Netty (io.netty: netty-codec-http2) versiones anteriores a la versión 4.1.60.Final, se presenta una vulnerabilidad que permite el tráfico de peticiones. Si existe un encabezado Content-Length en la petición HTTP/2 original, el campo no es comprobado por "Http2MultiplexHandler" a medida que se propaga. Esto está bien siempre que la petición no se transmita como HTTP/1.1. Si la petición llega como una secuencia HTTP/2, se convierte en los objetos de dominio HTTP/1.1 ("HttpRequest", "HttpContent", etc.) por medio de "Http2StreamFrameToHttpObjectCodec" y luego se envía al pipeline del canal secundario y al proxy mediante un peer remoto como HTTP/1.1, esto puede resultar en el tráfico de peticiones. En un caso de proxy, los usuarios pueden asumir que la longitud del contenido está comprobada de alguna forma, lo que no es el caso. Si la petición se reenvía a un canal de backend que es una conexión HTTP/1.1, la longitud del contenido ahora tiene significado y debe verificarse. Un atacante puede traficar peticiones dentro del cuerpo a medida que se degrada de HTTP/2 a HTTP/1.1. Para visualizar un ejemplo de ataque, consulte el Aviso de GitHub vinculado. Los usuarios solo están afectados si todo esto es cierto: se usa "HTTP2MultiplexCodec" o "Http2FrameCodec", se usa "Http2StreamFrameToHttpObjectCodec" para convertir a objetos HTTP/1.1, y estos objetos HTTP/1.1 se reenvían a otro par remoto. Esto ha sido parcheado en la versión 4.1.60.Final. Como solución, el usuario puede hacer la comprobación por sí mismo implementando un "ChannelInboundHandler" personalizado que se coloca en el "ChannelPipeline" detrás de "Http2StreamFrameToHttpObjectCodec"
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-22 CVE Reserved
- 2021-03-09 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (93)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/Netflix/zuul/pull/980 | 2023-11-07 | |
| https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://www.debian.org/security/2021/dsa-4885 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2021-21295 | 2022-07-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1937364 | 2022-07-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netty Search vendor "Netty" | Netty Search vendor "Netty" for product "Netty" | < 4.1.60 Search vendor "Netty" for product "Netty" and version " < 4.1.60" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Api Services Search vendor "Netapp" for product "Oncommand Api Services" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | <= 1.13.7 Search vendor "Quarkus" for product "Quarkus" and version " <= 1.13.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Kudu Search vendor "Apache" for product "Kudu" | < 1.16.0 Search vendor "Apache" for product "Kudu" and version " < 1.16.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Zookeeper Search vendor "Apache" for product "Zookeeper" | 3.5.9 Search vendor "Apache" for product "Zookeeper" and version "3.5.9" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0" | - |
Affected
| ||||||