CVE-2021-21409

NameCVE-2021-21409
DescriptionNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4885-1
Debian Bugs986217

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)buster1:4.1.33-1+deb10u2fixed
buster (security)1:4.1.33-1+deb10u4fixed
bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm, bookworm (security)1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysourcebuster1:4.1.33-1+deb10u2DSA-4885-1
nettysource(unstable)1:4.1.48-4986217

Notes

[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj

Search for package or bug name: Reporting problems