[eclipse-sig] [Bug 1937364] New: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation

https://bugzilla.redhat.com/show_bug.cgi?id=1937364 Bug ID: 1937364 Summary: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dbhole(a)redhat.com, decathorpe(a)gmail.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pcreech(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rgrunber(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. Reference: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj Upstream patch: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2f... -- You are receiving this mail because: You are on the CC list for the bug.