[Bugs] [Bug 13282] New: [CVE 21] netty 4.1.13 CVEs found

Ср Май 3 17:01:04 MSK 2023

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13282

          Platform: 2021.1
            Bug ID: 13282
           Summary: [CVE 21] netty 4.1.13  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2019-16869, CVE-2019-20444, CVE-2019-20445,
                    CVE-2020-11612, CVE-2021-21290, CVE-2021-21295,
                    CVE-2021-21409, CVE-2021-37136, CVE-2021-37137,
                    CVE-2021-43797, CVE-2022-24823, CVE-2022-41881,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package netty version 4.1.13

INFO (CVEs are): netty 4.1.13
 cves found
CVE-2019-16869
Desc: Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP
headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP
request smuggling.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16869
Severity: HIGH
CVE-2019-20444
Desc: HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that
lacks a colon, which might be interpreted as a separate header with an
incorrect syntax, or might be interpreted as an "invalid fold."
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-20444
Severity: CRITICAL
CVE-2019-20445
Desc: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
header to be accompanied by a second Content-Length header, or by a
Transfer-Encoding header.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
Severity: CRITICAL
CVE-2020-11612
Desc: The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory
allocation while decoding a ZlibEncoded byte stream. An attacker could send a
large ZlibEncoded byte stream to the Netty server, forcing the server to
allocate all of its free memory to a single decoder.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-11612
Severity: HIGH
CVE-2021-21290
Desc: Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty before version 4.1.59.Final there is a
vulnerability on Unix-like systems involving an insecure temp file. When
netty's multipart decoders are used local information disclosure can occur via
the local system temporary directory if temporary storing uploads on the disk
is enabled. On unix-like systems, the temporary directory is shared between all
user. As such, writing to this directory using APIs that do not explicitly set
the file/directory permissions can lead to information disclosure. Of note,
this does not impact modern MacOS Operating Systems. The method
"File.createTempFile" on unix-like systems creates a random file, but, by
default will create this file with the permissions "-rw-r--r--". Thus, if
sensitive information is written to this file, other local users can read this
information. This is the case in netty's "AbstractDiskHttpData" is vulnerable.
This has been fixed in version 4.1.59.Final. As a workaround, one may specify
your own "java.io.tmpdir" when you start the JVM or use
"DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that
is only readable by the current user.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21290
Severity: MEDIUM
CVE-2021-21295
Desc: Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.60.Final there is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the field is
not validated by `Http2MultiplexHandler` as it is propagated up. This is fine
as long as the request is not proxied through as HTTP/1.1. If the request comes
in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects
(`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec
`and then sent up to the child channel's pipeline and proxied through a remote
peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users
may assume the content-length is validated somehow, which is not the case. If
the request is forwarded to a backend channel that is a HTTP/1.1 connection,
the Content-Length now has meaning and needs to be checked. An attacker can
smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1.
For an example attack refer to the linked GitHub Advisory. Users are only
affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is
used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1
objects, and these HTTP/1.1 objects are forwarded to another remote peer. This
has been patched in 4.1.60.Final As a workaround, the user can do the
validation by themselves by implementing a custom `ChannelInboundHandler` that
is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21295
Severity: MEDIUM
CVE-2021-21409
Desc: Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.61.Final there is a vulnerability that enables request smuggling. The
content-length header is not correctly validated if the request only uses a
single Http2HeaderFrame with the endStream set to to true. This could lead to
request smuggling if the request is proxied to a remote peer and translated to
HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did
miss to fix this one case. This was fixed as part of 4.1.61.Final.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-21409
Severity: MEDIUM
CVE-2021-37136
Desc: The Bzip2 decompression decoder function doesn't allow setting size
restrictions on the decompressed output data (which affects the allocation size
used during decompression). All users of Bzip2Decoder are affected. The
malicious input can trigger an OOME and so a DoS attack
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-37136
Severity: HIGH
CVE-2021-37137
Desc: The Snappy frame decoder function doesn't restrict the chunk length which
may lead to excessive memory usage. Beside this it also may buffer reserved
skippable chunks until the whole chunk was received which may lead to excessive
memory usage as well. This vulnerability can be triggered by supplying
malicious input that decompresses to a very big size (via a network stream or a
file) or by sending a huge skippable chunk.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-37137
Severity: HIGH
CVE-2021-43797
Desc: Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers & clients.
Netty prior to version 4.1.71.Final skips control chars when they are present
at the beginning / end of the header name. It should instead fail fast as these
are not allowed by the spec and could lead to HTTP request smuggling. Failing
to do the validation might cause netty to "sanitize" header names before it
forward these to another remote system when used as proxy. This remote system
can't see the invalid usage anymore, and therefore does not do the validation
itself. Users should upgrade to version 4.1.71.Final.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-43797
Severity: MEDIUM
CVE-2022-24823
Desc: Netty is an open-source, asynchronous event-driven network application
framework. The package `io.netty:netty-codec-http` prior to version
4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's
multipart decoders are used local information disclosure can occur via the
local system temporary directory if temporary storing uploads on the disk is
enabled. This only impacts applications running on Java version 6 and lower.
Additionally, this vulnerability impacts code running on Unix-like systems, and
very old versions of Mac OSX and Windows as they all share the system temporary
directory between all users. Version 4.1.77.Final contains a patch for this
vulnerability. As a workaround, specify one's own `java.io.tmpdir` when
starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the
directory to something that is only readable by the current user.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-24823
Severity: MEDIUM
CVE-2022-41881
Desc: Netty project is an event-driven asynchronous network application
framework. In versions prior to 4.1.86.Final, a StackOverflowError can be
raised when parsing a malformed crafted message due to an infinite recursion.
This issue is patched in version 4.1.86.Final. There is no workaround, except
using a custom HaProxyMessageDecoder.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-41881
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено&hellip;
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/7ed361d8/attachment-0001.html>