ID

VAR-202103-1564

CVE

CVE-2021-21295

TITLE

Netty Environmental problem loophole

DESCRIPTION

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. For the stable distribution (buster), these problems have been fixed in version 1:4.1.33-1+deb10u2. We recommend that you upgrade your netty packages. For the detailed security status of netty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netty Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmBrXn0ACgkQEMKTtsN8 TjYiIQ/+M3dHpXdXRxZlx12OSJNsJoZa52/7uKhM9Vg0HhdCYnq7RjXTI2zZmUu7 VbL/F1ixPFgHWZpFIwHPTxZ4qk5+qQKYj7JyU1g+NyL9MkVsAW7ccYj3gbp3Kgk6 bE2GEwfh0qSKDgolflLCudGsqF1J54T65kO5oQ+Gtbx/8+NJ0YrVrHsmG1O4IMHQ 6oK/znY6CmQtUSY1p8DCNTWp63hZYpGzg9Umv/y9TaYm3QeG1BNz3tQz8uaGZQWq LihkaTSpJoo7ezNUFYinaRECylpEf7MHgK+uYkJ0MZrZ+2wyMC6V0BATVwF2Aj7X VMrRBJTSf20z5u/k0m+y9k8cR8CcR3sWVo/7mpRJAIsvnyMQwKBmxjHSlVfzOqYK 91NB7OSi/ZDKOOsdQ5oW337FPQolCXl2DOe2UW9Z1K9XFs11VplsFxMkrzZtiwba dXhq6odVZwQfzjiWGj0yFftfJSAAs9B0I1L1EqW2QR7sN25YA1OosYsc5iYvUXD7 mhjU1RtqsXK3jI9TjGmXos+6Yj36iPncNwXBL4AKKPapV5qm6mHQkXTowW1NM5vu 8NokTjKtuixgb08CAQHNe202TpQ9kGHNTe2FDKRNFQrlTaoxt2DlmHbDiLn6i1Ue k4HImGqrUw9venxQ/vPZjTW6UaTbz0D9BPQcb9ApBOAgydEjJqE= =6i6I -----END PGP SIGNATURE----- . Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20478 - (7.3.z) Upgrade artemis-wildfly-integration from 1.0.2 to 1.0.4 JBEAP-20927 - [GSS](7.3.z) Upgrade weld from 3.1.4.Final to 3.1.6.Final and weld-api to 3.1.0.SP3 JBEAP-20935 - [GSS](7.3.z) Upgrade generic jms from 2.0.8.Final-redhat-00001 to 2.0.9.Final-redhat-00001 JBEAP-20940 - (7.3.z) Upgrade WildFly Elytron from 1.10.11.Final-redhat-00001 to 1.10.12.Final-redhat-00001 JBEAP-21093 - [GSS] (7.3.z) Upgrade undertow from 2.0.34.SP1-redhat-00001 to 2.0.35.SP1-redhat-00001 JBEAP-21094 - (7.3.z) Upgrade WildFly Core from 10.1.18.Final-redhat-00001 to 10.1.19.Final-redhat-00001 JBEAP-21095 - [GSS](7.3.z) Upgrade HAL from 3.2.13.Final-redhat-00001 to 3.2.14.Final-redhat-00001 JBEAP-21096 - (7.3.z) (Core) Upgrade xalan from 2.7.1.jbossorg-2 to 2.7.1.jbossorg-5 JBEAP-21121 - (7.3.z) Upgrade wildfly-http-client from 1.0.25.Final-redhat-00001 to 1.0.26.Final-redhat-00001 JBEAP-21185 - [GSS](7.3.z) ISPN-12807 - Simple cache does not update eviction statistics JBEAP-21186 - [GSS](7.3.z) Upgrade Infinispan from 9.4.19.Final-redhat-00001 to 9.4.22.Final-redhat-00001 JBEAP-21193 - (7.3.z) Upgrade RESTEasy from 3.11.3.Final-redhat-00001 to 3.11.4.Final-redhat-00001 JBEAP-21196 - [GSS](7.3.z) Upgrade JBoss Marshalling from 2.0.10.Final to 2.0.11.Final JBEAP-21203 - [GSS](7.3.z) Upgrade jgroups-kubernetes from 1.0.13.Final to 1.0.16.Final JBEAP-21262 - [GSS](7.3.z) Upgrade yasson from 1.0.5.redhat-00001 to 1.0.9.redhat-00001 JBEAP-21279 - (7.3.z) Upgrade xalan from 2.7.1.redhat-12 to 2.7.1.redhat-13 JBEAP-21312 - [GSS](7.3.z) Upgrade Ironjacamar from 1.4.27 to 1.4.30 JBEAP-21322 - [GSS](7.3.z) 7.3 Update 6 patch breaks samesite-cookie in Undertow JBEAP-21351 - (7.3.z) Upgrade WildFly Core from 10.1.19.Final-redhat-00001 to 10.1.20.Final-redhat-00001 JBEAP-21390 - (7.3.z) Upgrade Bouncy Castle from 1.68.0.redhat-00001 to 1.68.0.redhat-00005 JBEAP-21479 - (7.3.z) Upgrade mod_cluster from 1.4.3.Final-redhat-00001 to 1.4.3.Final-redhat-00002 6. Description: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. For further information, refer to the release notes linked to in the References section. Description: Red Hat Data Grid is a distributed, in-memory data store. Solution: Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: AMQ Clients 2.9.1 release and security update Advisory ID: RHSA-2021:1511-01 Product: Red Hat AMQ Clients Advisory URL: https://access.redhat.com/errata/RHSA-2021:1511 Issue date: 2021-05-06 CVE Names: CVE-2021-21290 CVE-2021-21295 CVE-2021-21409 ==================================================================== 1. Summary: An update is now available for Red Hat AMQ Clients 2.9.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: 7Client-AMQ-Clients-2 - noarch, x86_64 7ComputeNode-AMQ-Clients-2 - noarch, x86_64 7Server-AMQ-Clients-2 - noarch, x86_64 7Workstation-AMQ-Clients-2 - noarch, x86_64 8Base-AMQ-Clients-2 - noarch, x86_64 3. Description: Red Hat AMQ Clients enable connecting, sending, and receiving messages over the AMQP 1.0 wire transport protocol to or from AMQ Broker 6 and 7. This update provides various bug fixes and enhancements in addition to the client package versions previously released on Red Hat Enterprise Linux 7 and 8. Security Fix(es): * netty: Information disclosure via the local system temporary directory (CVE-2021-21290) * netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295) * netty: Request smuggling via content-length header (CVE-2021-21409) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Package List: 7Client-AMQ-Clients-2: Source: qpid-proton-0.33.0-6.el7_9.src.rpm noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm 7ComputeNode-AMQ-Clients-2: Source: qpid-proton-0.33.0-6.el7_9.src.rpm noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm 7Server-AMQ-Clients-2: Source: qpid-proton-0.33.0-6.el7_9.src.rpm noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm 7Workstation-AMQ-Clients-2: Source: qpid-proton-0.33.0-6.el7_9.src.rpm noarch: python-qpid-proton-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-c-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-cpp-docs-0.33.0-6.el7_9.noarch.rpm qpid-proton-tests-0.33.0-6.el7_9.noarch.rpm x86_64: python-qpid-proton-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-0.33.0-6.el7_9.x86_64.rpm qpid-proton-c-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-0.33.0-6.el7_9.x86_64.rpm qpid-proton-cpp-devel-0.33.0-6.el7_9.x86_64.rpm qpid-proton-debuginfo-0.33.0-6.el7_9.x86_64.rpm rubygem-qpid_proton-0.33.0-6.el7_9.x86_64.rpm 8Base-AMQ-Clients-2: Source: qpid-proton-0.33.0-8.el8.src.rpm noarch: python-qpid-proton-docs-0.33.0-8.el8.noarch.rpm qpid-proton-c-docs-0.33.0-8.el8.noarch.rpm qpid-proton-cpp-docs-0.33.0-8.el8.noarch.rpm qpid-proton-tests-0.33.0-8.el8.noarch.rpm x86_64: python3-qpid-proton-0.33.0-8.el8.x86_64.rpm python3-qpid-proton-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-c-0.33.0-8.el8.x86_64.rpm qpid-proton-c-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-c-devel-0.33.0-8.el8.x86_64.rpm qpid-proton-cpp-0.33.0-8.el8.x86_64.rpm qpid-proton-cpp-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-cpp-devel-0.33.0-8.el8.x86_64.rpm qpid-proton-debuginfo-0.33.0-8.el8.x86_64.rpm qpid-proton-debugsource-0.33.0-8.el8.x86_64.rpm rubygem-qpid_proton-0.33.0-8.el8.x86_64.rpm rubygem-qpid_proton-debuginfo-0.33.0-8.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_amq/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYJOfftzjgjWX9erEAQj+2g/+JFftwDGLiEj+Svg0TbMD8ZsrA/xaXtw7 uYVdRIGBGQQPG8VGYVmbOVBFWBsZlF6+6v05975AJqCZcoPn6oJZBQabsEOTIyj6 Q2AzW8cfx7M8TjV27O+woPB1wMMo+PhsJHgSOTnXiZWT10geQKLGWZ81dLn37rT/ s85Vr5ANqtQxaw3Uv8B5rgAybdEJEQ8m7E9zRJtlAeo+qTFugJT0c11Jxt6t+2vl gWl1+mbO0pwuovGCFS2smB1G9TMF4/dOIX15qlgV98EK30fLVkGth/sCfjtMJDwz 8xoy+LaxIHBxH1sqfUVF8I1u/ngPhinlby31GI9jM3Qkuqjklo7I9+vYzxik0lBt 5fcsMxB3HjTWyuMx+7KssdPcvKFBIXbHtf9wuVIfiRR/Vuk35f5fwPvjNrhaOmNW TjM8cfu/ioWREh1qHUr3Bq9Nv0k/yh4m2xA9/P7bDIXvZrRWbVTsP301r8x1VbQw w6IohuS3wi1TM7vU5MZQv/BxAql1n1f66k1++nofq5D8/DLAAkHNHHNpr4O4rKTj PT7KxahxRACP1EiwGyHdcvHLWJQgJ/vwqFWCCFlmOoi8dGDBdXqNfESNpCn8+kII 3OQF2n5g8lxgMKDpUuaAU/aYybm9CcUW8Ncw+vYBlJn/gK2FPSKm606Pd5KqQXmC egK9mWwN/dY=JIov -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

environmental issue

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-08-06T21:42:01.490000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE