CVE-2021-43797
Last modified
CVE-2021-43797 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. EPSS estimates a 2.68% chance of exploitation in the next 30 days.
Description
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Netty | Netty | < 4.1.71 |
| Quarkus | Quarkus | < 2.5.3 |
| Netapp | Oncommand Workflow Automation | All versions |
| Netapp | Snapcenter | All versions |
| Oracle | Banking Deposits And Lines Of Credit Servicing | 2.7 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Coherence | 12.2.1.4.0 |
| Oracle | Coherence | 14.1.1.0.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
| Oracle | Communications Cloud Native Core Policy | 1.15.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 |
| Oracle | Communications Design Studio | 7.4.2 |
| Oracle | Communications Instant Messaging Server | 8.1 |
| Oracle | Helidon | 1.4.10 |
| Oracle | Helidon | 2.4.0 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
References
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323Patch, Third Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqqThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220107-0003/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323Patch, Third Party Advisory
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqqThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220107-0003/Third Party Advisory
- https://www.debian.org/security/2023/dsa-5316Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-43797?
How severe is CVE-2021-43797?
How do I fix CVE-2021-43797?
Are you affected by CVE-2021-43797?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST