CVE-2021-43797

CVE	CVE-2021-43797
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-12-09 19:15:00 UTC
Updated	2023-02-24 15:47:00 UTC
Description	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Problem Types: CWE-444

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Snapcenter	-	All	All	All
Application	Netty	Netty	All	All	All	All
Application	Oracle	Banking Deposits And Lines Of Credit Servicing	2.7	All	All	All
Application	Oracle	Banking Party Management	2.7.0	All	All	All
Application	Oracle	Banking Platform	2.6.2	All	All	All
Application	Oracle	Coherence	12.2.1.4.0	All	All	All
Application	Oracle	Coherence	14.1.1.0.0	All	All	All
Application	Oracle	Communications Cloud Native Core Binding Support Function	1.11.0	All	All	All
Application	Oracle	Communications Cloud Native Core Network Slice Selection Function	1.8.0	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.15.0	All	All	All
Application	Oracle	Communications Cloud Native Core Security Edge Protection Proxy	1.7.0	All	All	All
Application	Oracle	Communications Cloud Native Core Unified Data Repository	1.15.0	All	All	All
Application	Oracle	Communications Design Studio	7.4.2	All	All	All
Application	Oracle	Communications Instant Messaging Server	8.1	All	All	All
Application	Oracle	Helidon	1.4.10	All	All	All
Application	Oracle	Helidon	2.4.0	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Quarkus	Quarkus	All	All	All	All

Reference	Source	Link	Tags
[SECURITY] [DLA 3268-1] netty security update	MLIST	lists.debian.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Debian -- Security Information -- DSA-5316-1 netty	DEBIAN	www.debian.org
Merge pull request from GHSA-wx5j-54mm-rqqq · netty/netty@07aa6b5 · GitHub	MISC	github.com
CVE-2021-43797 Apache Netty Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling · Advisory · netty/netty · GitHub	CONFIRM	github.com
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

181469 Debian Security Update for netty (DLA 3268-1)
181471 Debian Security Update for netty (DSA 5316-1)
183061 Debian Security Update for netty (CVE-2021-43797)
199574 Ubuntu Security Notification for Netty Vulnerabilities (USN-6049-1)
240458 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 7 (RHSA-2022:4918)
240459 Red Hat Update for JBoss Enterprise Application Platform 7.4.5 on RHEL 8 (RHSA-2022:4919)
240566 Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)
376547 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUAPR2022)
376549 Oracle Coherence April 2022 Critical Patch Update (CPUAPR2022)
753182 SUSE Enterprise Linux Security Update for netty3 (SUSE-SU-2022:2047-1)
960505 Rocky Linux Security Update for Satellite (RLSA-2022:5498)