CVE-2021-21409 : Netty is an open-source, asynchronous event-driven network application framework

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Published 2021-03-30 15:15:15

Updated 2022-05-12 14:35:59

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-21409

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Oracle » Jd Edwards Enterpriseone Tools
Versions before (<) 9.2.6.3
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Messaging Server » Version: 8.1
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 17.12.0 and up to, including, (<=) 17.12.11
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 19.12.0 and up to, including, (<=) 19.12.10
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 18.8.0 and up to, including, (<=) 18.8.11
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Nosql Database
Versions before (<) 21.1.12
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Design Studio » Version: 7.4.2.0.0
cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.3.0
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.2.0
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.3.0
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.2.0
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.3.0
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.2.0
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Coherence » Version: 12.2.1.4.0
cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Coherence » Version: 14.1.1.0.0
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Console » Version: 1.7.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Policy » Version: 1.14.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Brm - Elastic Charging Engine » Version: 12.0.0.3
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Helidon » Version: 1.4.10
cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*
Matching versions
Oracle » Helidon » Version: 2.4.0
cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Api Services » Version: N/A
cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
Matching versions
Netty » Netty
Versions before (<) 4.1.61
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Matching versions
Quarkus » Quarkus
Versions up to, including, (<=) 1.13.7
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-21409

EPSS FAQ

4.98%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-21409

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-21409

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2021-21409

https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E

[jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E

[jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E

[zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj

Possible request smuggling in HTTP/2 due missing validation · Advisory · netty/netty · GitHub
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E

[jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E

[jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E

[jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295

CVE - CVE-2021-21295
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432

Merge pull request from GHSA-f256-j965-7f32 · netty/netty@b0fa4d5 · GitHub
Patch;Third Party Advisory
https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E

[jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. th
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E

[jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E

[GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher - Pony Mail
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2021/dsa-4885

Debian -- Security Information -- DSA-4885-1 netty
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E

[jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E

[jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E

[jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E

[zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E

[jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E

[jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. th
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32

Possible request smuggling in HTTP/2 due missing validation of content-length · Advisory · netty/netty · GitHub
Third Party Advisory
https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E

[jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E

[jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E

[jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. th
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E

[jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E

[jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E

[zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E

[jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E

[GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E

[jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E

[jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E

[zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E

[jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E

[jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E

[zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409 - Pony Mail
Mailing List;Patch;Third Party Advisory
https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E

[jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E

[jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix.
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210604-0003/

March 2021 Apache Netty Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E

[jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E

[jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E

[jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E

[jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409 - Pony Mail
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-21409

Products affected by CVE-2021-21409

Exploit prediction scoring system (EPSS) score for CVE-2021-21409

CVSS scores for CVE-2021-21409

CWE ids for CVE-2021-21409

References for CVE-2021-21409