====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN200
_____________________________________________________________________

DATE                : 02/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Netty versions prior to 4.1.61.

=====================================================================
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
_____________________________________________________________________

Possible request smuggling in HTTP/2 due missing validation of
content-length


moderate

normanmaurer published GHSA-f256-j965-7f32 Mar 30, 2021

Package
io.netty:netty-codec-http2 (maven)

Affected versions
< 4.1.61.Final

Patched versions
4.1.61.Final


Description

Impact

The content-length header is not correctly validated if the request only
use a single Http2HeaderFrame with the endStream set to to true. This
could lead to request smuggling if the request is proxied to a remote
peer and translated to HTTP/1.1

This is a followup of GHSA-wm47-8v5p-wjpj which did miss to fix this one
case.


Patches

This was fixed as part of 4.1.61.Final


Workarounds

Validation can be done by the user before proxy the request by
validating the header.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================