Home

CVE-2021-21409

Description

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
3.16

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-21409 are fixed in netty-codec-http2 4.1.61Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.3Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.4Windows
Multiple Vulnerabilities are affected in Netapp Oncommand Workflow Automation 2.3Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.6Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.4Windows
Multiple vulnerabilities are affected in JBoss-netty 3.9.9Windows
Multiple vulnerabilities are affected in netty 3.9.9Windows
(RHSA-2022:5498) Satellite 6.11 Release foreman-cli-3.1.1.21-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release foreman-cli-3.1.1.21-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-amazing_print-1.1.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-apipie-bindings-0.4.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-clamp-1.1.2-7.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-clamp-1.1.2-7.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-domain_name-0.5.20160310-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-fast_gettext-1.4.1-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-foreman_maintain-1.0.12-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-foreman_maintain-1.0.12-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli-3.1.0.1-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman-3.1.0.1-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_admin-1.1.0-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_ansible-0.3.4-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_azure_rm-0.2.2-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_bootdisk-0.3.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_discovery-1.1.0-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_openscap-0.1.13-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_tasks-0.0.17-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_templates-0.2.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_virt_who_configure-0.0.9-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_webhooks-0.0.2-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_katello-1.3.1.6-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hashie-3.6.0-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-highline-2.0.3-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-highline-2.0.3-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-http-cookie-1.0.2-5.1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-jwt-2.2.2-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-little-plugger-1.1.4-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-locale-2.0.9-15.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-logging-2.3.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-mime-types-3.3.1-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-mime-types-data-3.2018.0812-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-multi_json-1.14.1-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-netrc-0.11.0-6.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-oauth-0.5.4-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-powerbar-2.0.1-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-rest-client-2.0.2-4.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unf-0.1.3-9.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unf_ext-0.0.7.2-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unf_ext-debugsource-0.0.7.2-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unicode-0.4.4.4-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unicode-debugsource-0.4.4.4-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unicode-display_width-1.7.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-cli-6.11.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-cli-6.11.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-clone-3.1.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-clone-3.1.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-maintain-0.0.1-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-maintain-0.0.1-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-amazing_print-1.1.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-apipie-bindings-0.4.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-clamp-1.1.2-7.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-domain_name-0.5.20160310-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-fast_gettext-1.4.1-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli-3.1.0.1-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman-3.1.0.1-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_admin-1.1.0-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_ansible-0.3.4-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_azure_rm-0.2.2-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_bootdisk-0.3.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_discovery-1.1.0-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_openscap-0.1.13-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_tasks-0.0.17-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_templates-0.2.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_virt_who_configure-0.0.9-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_webhooks-0.0.2-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_katello-1.3.1.6-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hashie-3.6.0-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-highline-2.0.3-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-http-cookie-1.0.2-5.1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-jwt-2.2.2-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-little-plugger-1.1.4-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-locale-2.0.9-15.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-logging-2.3.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-mime-types-3.3.1-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-mime-types-data-3.2018.0812-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-multi_json-1.14.1-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-netrc-0.11.0-6.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-oauth-0.5.4-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-powerbar-2.0.1-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-rest-client-2.0.2-4.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unf-0.1.3-9.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unf_ext-0.0.7.2-4.1.el7sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unicode-0.4.4.4-4.1.el7sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unicode-display_width-1.7.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-runtime-7.0-1.el7sat.x86_64.rpmLinux
Vulnerabilities CVE-2021-21409 are fixed in netty-codec-http2 for Linux 4.1.61Linux
Multiple vulnerabilities are affected in JBoss-netty for Linux 3.9.9Linux
Multiple vulnerabilities are affected in netty for Linux 3.9.9Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234