ID

VAR-202103-1554

CVE

CVE-2021-21409

TITLE

Netty Environmental problem loophole

DESCRIPTION

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. Bugs fixed (https://bugzilla.redhat.com/): 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1971 - Applying cluster state is causing elasticsearch to hit an issue and become unusable 6. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.8 on RHEL 8 security update Advisory ID: RHSA-2021:2694-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:2694 Issue date: 2021-07-13 CVE Names: CVE-2021-3536 CVE-2021-21409 ==================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.7, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.8 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * netty: Request smuggling via content-length header (CVE-2021-21409) * wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20264 - [GSS](7.3.z) ISPN-12787 - Non Transactional Cache needs to be invalidated after commit on JPQL update/delete operation JBEAP-20503 - [GSS](7.3.z) WFCORE-5185 - Update ProviderDefinition to use optimised service loading API JBEAP-20623 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.20.Final-redhat-00001 to 5.3.20.SP1-redhat-00001 JBEAP-21180 - Tracker bug for the EAP 7.3.8 release for RHEL-8 JBEAP-21406 - [GSS](7.3.z) Upgrade Ironjacamar from 1.4.30.Final-redhat-00001 to 1.4.33.Final-redhat-00001 JBEAP-21421 - (7.3.z) Upgrade Infinispan from 9.4.22.Final-redhat-00001 to 9.4.23.Final-redhat-00001 JBEAP-21434 - (7.3.z) Upgrade wildfly-http-client from 1.0.26.Final-redhat-00001 to 1.0.28.Final-redhat-00001 JBEAP-21435 - (7.3.z) Upgrade Elytron from 1.10.12.Final-redhat-00001 to 1.10.13.Final-redhat-00001 JBEAP-21437 - (7.3.z) Upgrade netty from 4.1.60.Final to 4.1.63 JBEAP-21441 - (7.3.z) Upgrade Undertow from 2.0.35.SP1-redhat-00001 to 2.0.38.SP1-redhat-00001 JBEAP-21443 - (7.3.z) Upgrade jberet from 1.3.7.Final-redhat-00001 to 1.3.8.Final-redhat-00001 JBEAP-21444 - (7.3.z) Upgrade wf-core from 10.1.20.Final-redhat-00001 to 10.1.21.Final-redhat-00001 JBEAP-21567 - [GSS](7.3.z) Upgrade HAL from 3.2.14.Final-redhat-00001 to 3.2.15.Final-redhat-00001 JBEAP-21582 - (7.3.z) Upgrade remoting from 5.0.20.SP1-redhat-00001 to 5.0.23.Final-redhat-00001 JBEAP-21739 - (7.3.z) Upgrade elytron-web from 1.6.2.Final-redhat-00001 to 1.6.3.Final-redhat-00001 JBEAP-21977 - [SET](7.3.z) Update product CP branch github template 7. Package List: Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-elytron-web-1.6.3-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hal-console-3.2.15-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.20-3.SP1_redhat_00001.1.el8eap.src.rpm eap7-infinispan-9.4.23-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.33-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jberet-1.3.8-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-remoting-5.0.23-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.7.2-7.Final_redhat_00008.1.el8eap.src.rpm eap7-netty-4.1.63-1.Final_redhat_00001.1.el8eap.src.rpm eap7-undertow-2.0.38-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.3.8-1.GA_redhat_00001.1.el8eap.src.rpm eap7-wildfly-elytron-1.10.13-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-http-client-1.0.28-1.Final_redhat_00001.1.el8eap.src.rpm noarch: eap7-hal-console-3.2.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.20-3.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.20-3.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.20-3.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.20-3.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.20-3.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.4.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.33-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jberet-1.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jberet-core-1.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-remoting-5.0.23-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-7.Final_redhat_00008.1.el8eap.noarch.rpm eap7-netty-4.1.63-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-netty-all-4.1.63-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-2.0.38-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-server-1.6.3-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.3.8-1.GA_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.10.13-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.13-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.0.28-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.28-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.28-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.28-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.3.8-1.GA_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-modules-7.3.8-1.GA_redhat_00001.1.el8eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYO2RMtzjgjWX9erEAQjW+A/9HWLlaHiO+DaKpGDmPHSmVqeMaFH1CYHa q+8rtsG66TOWU4HNV+nDQvbxR6sBB7i20calm3b8kRnTobtX/aVu+IyBHeqpfrYv uc8Bit2T+RkdZlKFrRSlkTukkT7+lGhPtmFqjqGQaM6uoUzFiG3qn0dLHCVWEwo0 cNhF2RZR8ahaYacq4Ifv9Df6lC36URNLoPOp1UOmPpEnglJDARWcw78kaVQc27mi ivIWDrj6rbWHY5obVSnENKlT6+e6M8hgyMTYJc47LthI/SjrOSnVzHQhdgw184yZ cG+hvN5odn/DyZIVc5MwlncHLYeuKT4c7Kvcxr0XvQOc8J9oRVOBHs3T4ApMc+Fh r20gyja8SbwoKMjgYsCHY8jtPsvRWCh2iLjKN9iPM/Mp1WEs1KsBVtOE+0XWMHEt KCxrAsDZjlB0KFz6cwp5GZq/h2gwx5tFkG8sFjeDtK+t2NnStbKBPocU8K9fMbdG cclTUoHC73KCHxN9xU6GHcX1ZP8EvlluQPs/Ay2WxWsT0ETKWNcD0YmeLbHaARgh pNIAkEZdORXxEfgLmt7Ug+gg3uwpegZrBnZJNqAJ/1gDV2FG1JDt9CdXmVdFwUw3 HBCpb86rrCmG3EVnswOS+uCFMGu1V5LMIx/6OoR+35O9DEHx3JXYiAiCUHrd9Kpr Y6NNd2219pM=Uht6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Relevant releases/architectures: 7Client-AMQ-Clients-2 - noarch, x86_64 7ComputeNode-AMQ-Clients-2 - noarch, x86_64 7Server-AMQ-Clients-2 - noarch, x86_64 7Workstation-AMQ-Clients-2 - noarch, x86_64 8Base-AMQ-Clients-2 - noarch, x86_64 3. Description: Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. Bugs fixed (https://bugzilla.redhat.com/): 1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1936629 - CVE-2021-3425 Red Hat AMQ Broker: discloses JDBC username and password in the application log file 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout 1985223 - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints 2000654 - CVE-2021-3763 AMQ Broker 7: Incorrect privilege in Management Console 5. ========================================================================== Ubuntu Security Notice USN-6049-1 April 28, 2023 netty vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 ESM - Ubuntu 18.04 ESM - Ubuntu 16.04 ESM Summary: Several security issues were fixed in Netty. Software Description: - netty: Java NIO client/server socket framework Details: It was discovered that Netty's Zlib decoders did not limit memory allocations. A remote attacker could possibly use this issue to cause Netty to exhaust memory via malicious input, leading to a denial of service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-11612) It was discovered that Netty created temporary files with excessive permissions. A local attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM, and Ubuntu 20.04 ESM. (CVE-2021-21290) It was discovered that Netty did not properly validate content-length headers. A remote attacker could possibly use this issue to smuggle requests. This issue was only fixed in Ubuntu 20.04 ESM. (CVE-2021-21295, CVE-2021-21409) It was discovered that Netty's Bzip2 decompression decoder did not limit the decompressed output data size. A remote attacker could possibly use this issue to cause Netty to exhaust memory via malicious input, leading to a denial of service. This issue only affected Ubuntu 18.04 ESM, Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2021-37136) It was discovered that Netty's Snappy frame decoder function did not limit chunk lengths. A remote attacker could possibly use this issue to cause Netty to exhaust memory via malicious input, leading to a denial of service. (CVE-2021-37137) It was discovered that Netty did not properly handle control chars at the beginning and end of header names. A remote attacker could possibly use this issue to smuggle requests. This issue only affected Ubuntu 18.04 ESM, Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2021-43797) It was discovered that Netty could be made into an infinite recursion when parsing a malformed crafted message. A remote attacker could possibly use this issue to cause Netty to crash, leading to a denial of service. This issue only affected Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-41881) It was discovered that Netty did not validate header values under certain circumstances. A remote attacker could possibly use this issue to perform HTTP response splitting via malicious header values. This issue only affected Ubuntu 18.04 ESM, Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-41915) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libnetty-java 1:4.1.48-5ubuntu0.1 Ubuntu 22.04 LTS: libnetty-java 1:4.1.48-4+deb11u1build0.22.04.1 Ubuntu 20.04 ESM: libnetty-java 1:4.1.45-1ubuntu0.1~esm1 Ubuntu 18.04 ESM: libnetty-java 1:4.1.7-4ubuntu0.1+esm2 Ubuntu 16.04 ESM: libnetty-java 1:4.0.34-1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6049-1 CVE-2020-11612, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881, CVE-2022-41915 Package Information: https://launchpad.net/ubuntu/+source/netty/1:4.1.48-5ubuntu0.1 https://launchpad.net/ubuntu/+source/netty/1:4.1.48-4+deb11u1build0.22.04.1

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

environmental issue

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-07T23:00:41.168000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE