CVE-2021-43797 : Netty is an asynchronous event-driven network application framework for rapid de

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Published 2021-12-09 19:15:08

Updated 2023-02-24 15:47:12

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-43797

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.59
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.6.2
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Instant Messaging Server » Version: 8.1
cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Design Studio » Version: 7.4.2
cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*
Matching versions
Oracle » Coherence » Version: 12.2.1.4.0
cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Coherence » Version: 14.1.1.0.0
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Policy » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Unified Data Repository » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Slice Selection Function » Version: 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Security Edge Protection Proxy » Version: 1.7.0
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Party Management » Version: 2.7.0
cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Binding Support Function » Version: 1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Deposits And Lines Of Credit Servicing » Version: 2.7
cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*
Matching versions
Oracle » Helidon » Version: 1.4.10
cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*
Matching versions
Oracle » Helidon » Version: 2.4.0
cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netty » Netty
Versions before (<) 4.1.71
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Matching versions
Quarkus » Quarkus
Versions before (<) 2.5.3
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-43797

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-43797

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-43797

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2021-43797

https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html

[SECURITY] [DLA 3268-1] netty security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323

Merge pull request from GHSA-wx5j-54mm-rqqq · netty/netty@07aa6b5 · GitHub
Patch;Third Party Advisory
https://www.debian.org/security/2023/dsa-5316

Debian -- Security Information -- DSA-5316-1 netty
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20220107-0003/

CVE-2021-43797 Apache Netty Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq

HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling · Advisory · netty/netty · GitHub
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-43797

Products affected by CVE-2021-43797

Exploit prediction scoring system (EPSS) score for CVE-2021-43797

CVSS scores for CVE-2021-43797

CWE ids for CVE-2021-43797

References for CVE-2021-43797