CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Publish Date : 2021-03-30 Last Update Date : 2022-05-12
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
4.3
Confidentiality Impact None (There is no impact to the confidentiality of the system.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact None (There is no impact to the availability of the system.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s)
CWE ID 444

- Products Affected By CVE-2021-21409

# Product Type Vendor Product Version Update Edition Language
1 OS Debian Debian Linux 10.0 * * * Version Details Vulnerabilities
2 Application Netapp Oncommand Api Services - * * * Version Details Vulnerabilities
3 Application Netapp Oncommand Workflow Automation - * * * Version Details Vulnerabilities
4 Application Netty Netty * * * * Version Details Vulnerabilities
5 Application Oracle Banking Corporate Lending Process Management 14.2.0 * * * Version Details Vulnerabilities
6 Application Oracle Banking Corporate Lending Process Management 14.3.0 * * * Version Details Vulnerabilities
7 Application Oracle Banking Corporate Lending Process Management 14.5.0 * * * Version Details Vulnerabilities
8 Application Oracle Banking Credit Facilities Process Management 14.2.0 * * * Version Details Vulnerabilities
9 Application Oracle Banking Credit Facilities Process Management 14.3.0 * * * Version Details Vulnerabilities
10 Application Oracle Banking Credit Facilities Process Management 14.5.0 * * * Version Details Vulnerabilities
11 Application Oracle Banking Trade Finance Process Management 14.2.0 * * * Version Details Vulnerabilities
12 Application Oracle Banking Trade Finance Process Management 14.3.0 * * * Version Details Vulnerabilities
13 Application Oracle Banking Trade Finance Process Management 14.5.0 * * * Version Details Vulnerabilities
14 Application Oracle Coherence 12.2.1.4.0 * * * Version Details Vulnerabilities
15 Application Oracle Coherence 14.1.1.0.0 * * * Version Details Vulnerabilities
16 Application Oracle Communications Brm - Elastic Charging Engine 12.0.0.3 * * * Version Details Vulnerabilities
17 Application Oracle Communications Cloud Native Core Console 1.7.0 * * * Version Details Vulnerabilities
18 Application Oracle Communications Cloud Native Core Policy 1.14.0 * * * Version Details Vulnerabilities
19 Application Oracle Communications Design Studio 7.4.2.0.0 * * * Version Details Vulnerabilities
20 Application Oracle Communications Messaging Server 8.1 * * * Version Details Vulnerabilities
21 Application Oracle Helidon 1.4.10 * * * Version Details Vulnerabilities
22 Application Oracle Helidon 2.4.0 * * * Version Details Vulnerabilities
23 Application Oracle Jd Edwards Enterpriseone Tools * * * * Version Details Vulnerabilities
24 Application Oracle Nosql Database * * * * Version Details Vulnerabilities
25 Application Oracle Primavera Gateway * * * * Version Details Vulnerabilities
26 Application Quarkus Quarkus * * * * Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Debian Debian Linux 1
Netapp Oncommand Api Services 1
Netapp Oncommand Workflow Automation 1
Netty Netty 1
Oracle Banking Corporate Lending Process Management 3
Oracle Banking Credit Facilities Process Management 3
Oracle Banking Trade Finance Process Management 3
Oracle Coherence 2
Oracle Communications Brm - Elastic Charging Engine 1
Oracle Communications Cloud Native Core Console 1
Oracle Communications Cloud Native Core Policy 1
Oracle Communications Design Studio 1
Oracle Communications Messaging Server 1
Oracle Helidon 2
Oracle Jd Edwards Enterpriseone Tools 1
Oracle Nosql Database 1
Oracle Primavera Gateway 1
Quarkus Quarkus 1

- References For CVE-2021-21409

https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
MLIST [pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
MLIST [zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
MLIST [zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
MLIST [zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
MLIST [pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
MLIST [pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
MLIST [pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
MLIST [flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://www.debian.org/security/2021/dsa-4885
DEBIAN DSA-4885
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
MLIST [zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
MLIST [flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
MLIST [zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.kudu.apache.org%3E
MLIST [kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60
https://lists.apache.org/thread.html/[email protected]%3Cissues.kudu.apache.org%3E
MLIST [kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60
https://lists.apache.org/thread.html/[email protected]%3Cissues.kudu.apache.org%3E
MLIST [kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60
https://lists.apache.org/thread.html/[email protected]%3Cissues.kudu.apache.org%3E
MLIST [kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
MLIST [zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
MLIST [zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
MLIST [flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
MLIST [flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
MLIST [zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5
https://lists.apache.org/thread.html/[email protected]%3Cissues.kudu.apache.org%3E
MLIST [kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
MLIST [zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
MLIST [zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
MLIST [flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E
MLIST [flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
https://security.netapp.com/advisory/ntap-20210604-0003/ CONFIRM
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://www.oracle.com//security-alerts/cpujul2021.html
N/A N/A
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
MLIST [zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
MLIST [zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
MLIST [zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409
https://lists.apache.org/thread.html/[email protected]%3Cjira.kafka.apache.org%3E
MLIST [kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
MLIST [zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409
https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387[email protected]%3Cissues.flink.apache.org%3E
MLIST [flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 CONFIRM
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
MLIST [zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409

- Metasploit Modules Related To CVE-2021-21409

There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.