CVE-2021-21409

Published: 30 March 2021

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Priority

Cvss 3 Severity Score

5.9

Score breakdown

Status

Package	Release	Status
netty Launchpad, Ubuntu, Debian	bionic	Released (1:4.1.7-4ubuntu0.1+esm2) Available with Ubuntu Pro
	focal	Released (1:4.1.45-1ubuntu0.1~esm1) Available with Ubuntu Pro
	groovy	Ignored (end of life)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Released (1:4.1.48-4+deb11u1build0.22.04.1)
	kinetic	Released (1:4.1.48-5ubuntu0.1)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Ignored (end of life, was needs-triage)
	noble	Needs triage
	trusty	Needs triage
	upstream	Needs triage
	xenial	Released (1:4.0.34-1ubuntu0.1~esm1) Available with Ubuntu Pro

Severity score breakdown

Parameter	Value
Base score	5.9
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›