CVE-2021-43797

HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Netty es un marco de trabajo de aplicaciones de red asíncronas impulsadas por eventos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. Netty antes de la versión 4.1.71.Final omite los caracteres de control cuando están presentes al principio/fin del nombre de la cabecera. En su lugar, debería fallar rápidamente ya que estos no están permitidos por la especificación y podrían llevar a un contrabando de peticiones HTTP. No hacer la validación podría causar que netty "sanee" los nombres de las cabeceras antes de reenviarlas a otro sistema remoto cuando se usa como proxy. Este sistema remoto ya no puede ver el uso inválido, y por lo tanto no hace la validación por sí mismo. Los usuarios deben actualizar a la versión 4.1.71.Final

A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2021-12-09 CVE Published
2024-08-04 CVE Updated
2024-10-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (9)

URL	Tag	Source
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html	Mailing List
https://security.netapp.com/advisory/ntap-20220107-0003	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323	2023-02-24
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-02-24
https://www.oracle.com/security-alerts/cpujul2022.html	2023-02-24

URL	Date	SRC
https://www.debian.org/security/2023/dsa-5316	2023-02-24
https://access.redhat.com/security/cve/CVE-2021-43797	2022-11-03
https://bugzilla.redhat.com/show_bug.cgi?id=2031958	2022-11-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netty Search vendor "Netty"		Netty Search vendor "Netty" for product "Netty"				< 4.1.71 Search vendor "Netty" for product "Netty" and version " < 4.1.71"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				< 2.5.3 Search vendor "Quarkus" for product "Quarkus" and version " < 2.5.3"		-		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected
Netapp Search vendor "Netapp"		Snapcenter Search vendor "Netapp" for product "Snapcenter"				-		-		Affected
Oracle Search vendor "Oracle"		Banking Deposits And Lines Of Credit Servicing Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing"				2.7 Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing" and version "2.7"		-		Affected
Oracle Search vendor "Oracle"		Banking Party Management Search vendor "Oracle" for product "Banking Party Management"				2.7.0 Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Coherence Search vendor "Oracle" for product "Coherence"				12.2.1.4.0 Search vendor "Oracle" for product "Coherence" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Coherence Search vendor "Oracle" for product "Coherence"				14.1.1.0.0 Search vendor "Oracle" for product "Coherence" and version "14.1.1.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"				1.11.0 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.11.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				1.7.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Design Studio Search vendor "Oracle" for product "Communications Design Studio"				7.4.2 Search vendor "Oracle" for product "Communications Design Studio" and version "7.4.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "8.1"		-		Affected
Oracle Search vendor "Oracle"		Helidon Search vendor "Oracle" for product "Helidon"				1.4.10 Search vendor "Oracle" for product "Helidon" and version "1.4.10"		-		Affected
Oracle Search vendor "Oracle"		Helidon Search vendor "Oracle" for product "Helidon"				2.4.0 Search vendor "Oracle" for product "Helidon" and version "2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected