CVE-2019-16869: XSS
First published: Thu Sep 26 2019(Updated: )
A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/netty | <=1:4.1.33-1<=1:4.1.7-2 | 1:4.1.33-2 1:4.1.33-1+deb10u1 1:4.1.7-2+deb9u1 |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el6ea | 0:3.2.11-1.redhat_00001.1.el6ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el6ea | 0:2.3.5-6.SP3_redhat_00004.1.el6ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el6ea | 0:3.0.19-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el6ea | 0:5.3.14-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el6ea | 0:6.0.18-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el6ea | 0:2.9.10.1-1.redhat_00001.1.el6ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el6ea | 0:2.9.10-2.redhat_00003.1.el6ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el6ea | 0:2.9.10-1.redhat_00003.1.el6ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el6ea | 0:1.3.5-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el6ea | 0:4.0.27-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el6ea | 0:1.3.1-7.Final_redhat_00007.1.el6ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el6ea | 0:3.7.6-3.SP2_redhat_00001.1.el6ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el6ea | 0:4.1.42-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el6ea | 0:2.5.5-21.SP12_redhat_00010.1.el6ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el6ea | 0:2.0.28-2.SP1_redhat_00001.1.el6ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el6ea | 0:2.0.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el6ea | 0:3.0.6-3.Final_redhat_00003.1.el6ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el6ea | 0:7.2.6-5.GA_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el6ea | 0:1.0.18-2.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el6ea | 0:1.1.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el7ea | 0:3.2.11-1.redhat_00001.1.el7ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el7ea | 0:2.3.5-6.SP3_redhat_00004.1.el7ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el7ea | 0:3.0.19-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el7ea | 0:5.3.14-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el7ea | 0:6.0.18-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el7ea | 0:2.9.10.1-1.redhat_00001.1.el7ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el7ea | 0:2.9.10-2.redhat_00003.1.el7ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el7ea | 0:2.9.10-1.redhat_00003.1.el7ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el7ea | 0:1.3.5-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el7ea | 0:4.0.27-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el7ea | 0:1.3.1-7.Final_redhat_00007.1.el7ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el7ea | 0:3.7.6-3.SP2_redhat_00001.1.el7ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el7ea | 0:4.1.42-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el7ea | 0:2.5.5-21.SP12_redhat_00010.1.el7ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el7ea | 0:2.0.28-2.SP1_redhat_00001.1.el7ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el7ea | 0:2.0.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el7ea | 0:3.0.6-3.Final_redhat_00003.1.el7ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el7ea | 0:7.2.6-5.GA_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el7ea | 0:1.0.18-2.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el7ea | 0:1.1.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-apache-cxf | <0:3.2.11-1.redhat_00001.1.el8ea | 0:3.2.11-1.redhat_00001.1.el8ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-6.SP3_redhat_00004.1.el8ea | 0:2.3.5-6.SP3_redhat_00004.1.el8ea |
| redhat/eap7-hal-console | <0:3.0.19-1.Final_redhat_00001.1.el8ea | 0:3.0.19-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.14-1.Final_redhat_00001.1.el8ea | 0:5.3.14-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate-validator | <0:6.0.18-1.Final_redhat_00001.1.el8ea | 0:6.0.18-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jackson-annotations | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-core | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-databind | <0:2.9.10.1-1.redhat_00001.1.el8ea | 0:2.9.10.1-1.redhat_00001.1.el8ea |
| redhat/eap7-jackson-dataformats-binary | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-dataformats-text | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-jaxrs-providers | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jackson-modules-base | <0:2.9.10-2.redhat_00003.1.el8ea | 0:2.9.10-2.redhat_00003.1.el8ea |
| redhat/eap7-jackson-modules-java8 | <0:2.9.10-1.redhat_00003.1.el8ea | 0:2.9.10-1.redhat_00003.1.el8ea |
| redhat/eap7-jberet | <0:1.3.5-1.Final_redhat_00001.1.el8ea | 0:1.3.5-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.27-1.Final_redhat_00001.1.el8ea | 0:4.0.27-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-7.Final_redhat_00007.1.el8ea | 0:1.3.1-7.Final_redhat_00007.1.el8ea |
| redhat/eap7-jboss-xnio-base | <0:3.7.6-3.SP2_redhat_00001.1.el8ea | 0:3.7.6-3.SP2_redhat_00001.1.el8ea |
| redhat/eap7-netty | <0:4.1.42-1.Final_redhat_00001.1.el8ea | 0:4.1.42-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-21.SP12_redhat_00010.1.el8ea | 0:2.5.5-21.SP12_redhat_00010.1.el8ea |
| redhat/eap7-undertow | <0:2.0.28-2.SP1_redhat_00001.1.el8ea | 0:2.0.28-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-undertow-jastow | <0:2.0.8-1.Final_redhat_00001.1.el8ea | 0:2.0.8-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-weld-core | <0:3.0.6-3.Final_redhat_00003.1.el8ea | 0:3.0.6-3.Final_redhat_00003.1.el8ea |
| redhat/eap7-wildfly | <0:7.2.6-5.GA_redhat_00001.1.el8ea | 0:7.2.6-5.GA_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.18-2.Final_redhat_00001.1.el8ea | 0:1.0.18-2.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.8-1.Final_redhat_00001.1.el8ea | 0:1.1.8-1.Final_redhat_00001.1.el8ea |
| maven/io.netty:netty-all | >=4.0.0.Alpha1<4.1.42.Final | 4.1.42.Final |
| maven/org.jboss.netty:netty | <4.0.0 | |
| debian/netty | 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-10 | |
| redhat/netty | <4.1.42. | 4.1.42. |
| NettyRPC | <4.1.42 | |
| Debian Linux | =8.0 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Ubuntu | =18.04 | |
| All of | ||
| Any of | ||
| JBoss Enterprise Application Platform | =7.2 | |
| JBoss Enterprise Application Platform | =7.3 | |
| JBoss Enterprise Application Platform | =7.4 | |
| Any of | ||
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| JBoss Enterprise Application Platform | =7.2 | |
| JBoss Enterprise Application Platform | =7.3 | |
| JBoss Enterprise Application Platform | =7.4 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 |
Remedy
* Use HTTP/2 instead (clear boundaries between requests) * Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/netty/netty/issues/9571
- https://security-tracker.debian.org/tracker/CVE-2019-16869
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
- https://salsa.debian.org/java-team/netty/commit/64ec32d2b0a24f95128352dcdc97b3ae44986f1d
- https://bugs.debian.org/941266
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941266
- https://www.cve.org/CVERecord?id=CVE-2019-16869 https://nvd.nist.gov/vuln/detail/CVE-2019-16869
- https://bugzilla.redhat.com/show_bug.cgi?id=1758619
- https://access.redhat.com/errata/RHSA-2020:0922
- https://access.redhat.com/errata/RHSA-2020:1445
- https://access.redhat.com/errata/RHSA-2020:3196
- https://access.redhat.com/errata/RHSA-2020:2321
- https://access.redhat.com/errata/RHSA-2020:0164
- https://access.redhat.com/errata/RHSA-2020:0159
- https://access.redhat.com/errata/RHSA-2020:0160
- https://access.redhat.com/errata/RHSA-2020:0161
- https://access.redhat.com/errata/RHSA-2020:2333
- https://access.redhat.com/errata/RHSA-2019:3892
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/errata/RHSA-2020:3197
- https://access.redhat.com/errata/RHSA-2020:0445
- https://access.redhat.com/errata/RHSA-2019:3901
- https://access.redhat.com/security/cve/CVE-2019-16869
- https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final
- https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E
- https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E
- https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html
- https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
- https://seclists.org/bugtraq/2020/Jan/6
- https://usn.ubuntu.com/4532-1/
- https://www.debian.org/security/2020/dsa-4597
- https://launchpad.net/bugs/cve/CVE-2019-16869
- https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c%40%3Cdev.olingo.apache.org%3E
- https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E
- https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc%40%3Cdev.rocketmq.apache.org%3E
- https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a%40%3Cdev.rocketmq.apache.org%3E
- https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833%40%3Cdev.rocketmq.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2019-16869
- https://usn.ubuntu.com/4532-1
- https://github.com/advisories/GHSA-p979-4mfw-53vg (Advisory)
- https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
- https://exchange.xforce.ibmcloud.com/vulnerabilities/167672
- https://www.ibm.com/support/pages/node/6520510 (Advisory)
- https://netty.io/news/2019/09/25/4-1-42-Final.html
- https://access.redhat.com/security/cve/cve-2019-16869
- https://github.com/elastic/elasticsearch/issues/49396
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2024:5856
- https://ubuntu.com/security/CVE-2019-16869
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-16869?
CVE-2019-16869 is considered a moderate severity vulnerability as it enables HTTP request smuggling due to improper handling of whitespace in HTTP headers.
How do I fix CVE-2019-16869?
To fix CVE-2019-16869, upgrade to Netty version 4.1.42.Final or later.
Which versions of Netty are affected by CVE-2019-16869?
CVE-2019-16869 affects Netty versions prior to 4.1.42.Final.
What types of attacks can CVE-2019-16869 facilitate?
CVE-2019-16869 can facilitate HTTP request smuggling attacks, potentially allowing attackers to bypass security controls.
What software packages are impacted by CVE-2019-16869?
CVE-2019-16869 impacts various software packages, including Netty, Red Hat JBoss Enterprise Application Platform, and Debian packages that employ vulnerable versions.
- collector/debian-bugs
- alias/CVE-2019-16869
- collector/redhat-cve
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p979-4mfw-53vg
- agent/software-canonical-lookup
- collector/github-advisory
- collector/security-tracker-debian
- source/Debian
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/last-modified-date
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/debian
- package-manager/redhat
- package-manager/maven
- vendor/netty
- canonical/nettyrpc
- vendor/debian
- canonical/debian linux
- version/debian linux/8.0
- version/debian linux/9.0
- version/debian linux/10.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/18.04
- vendor/redhat
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/7.2
- version/jboss enterprise application platform/7.3
- version/jboss enterprise application platform/7.4
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0