Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
References
Link | Resource |
---|---|
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 | Patch Third Party Advisory |
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html | Mailing List Third Party Advisory |
https://security.netapp.com/advisory/ntap-20220107-0003/ | Third Party Advisory |
https://www.debian.org/security/2023/dsa-5316 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
24 Feb 2023, 15:47
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2023/dsa-5316 - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html - Mailing List, Third Party Advisory | |
First Time |
Oracle banking Deposits And Lines Of Credit Servicing
Oracle banking Platform Oracle communications Design Studio Debian Debian debian Linux Oracle banking Party Management |
|
CPE | cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:* |
12 Jan 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Jul 2022, 18:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Jun 2022, 15:34
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:* |
|
First Time |
Oracle communications Cloud Native Core Unified Data Repository
Oracle communications Cloud Native Core Network Slice Selection Function Oracle coherence Oracle communications Cloud Native Core Binding Support Function Oracle helidon Oracle communications Instant Messaging Server Oracle Oracle communications Cloud Native Core Policy Oracle communications Cloud Native Core Security Edge Protection Proxy Oracle peoplesoft Enterprise Peopletools |
|
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory |
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Feb 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. |
08 Feb 2022, 16:40
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220107-0003/ - Third Party Advisory | |
First Time |
Netapp oncommand Workflow Automation
Quarkus quarkus Quarkus Netapp Netapp snapcenter |
21 Jan 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final to receive a patch. |
10 Jan 2022, 14:10
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Dec 2021, 20:19
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq - Third Party Advisory | |
References | (MISC) https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.5 |
CWE | CWE-444 |
09 Dec 2021, 19:21
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-09 19:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-43797
Mitre link : CVE-2021-43797
CVE.ORG link : CVE-2021-43797
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_network_slice_selection_function
- communications_instant_messaging_server
- helidon
- coherence
- communications_cloud_native_core_security_edge_protection_proxy
- communications_cloud_native_core_policy
- communications_design_studio
- banking_platform
- banking_party_management
- communications_cloud_native_core_unified_data_repository
- communications_cloud_native_core_binding_support_function
- peoplesoft_enterprise_peopletools
- banking_deposits_and_lines_of_credit_servicing
debian
- debian_linux
quarkus
- quarkus
netty
- netty
netapp
- oncommand_workflow_automation
- snapcenter
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')