critical
9.1
CWE
444 79
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2019-20444: XSS

First published: Wed Jan 29 2020(Updated: )

A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec-http>=4.0.0<4.1.44
4.1.44
redhat/qpid-proton<0:0.30.0-4.el6_10
0:0.30.0-4.el6_10
redhat/qpid-proton<0:0.30.0-2.el7
0:0.30.0-2.el7
redhat/nodejs-rhea<0:1.0.16-1.el8
0:1.0.16-1.el8
redhat/qpid-proton<0:0.30.0-3.el8
0:0.30.0-3.el8
redhat/eap7-netty<0:4.1.45-1.Final_redhat_00001.1.el6ea
0:4.1.45-1.Final_redhat_00001.1.el6ea
redhat/eap7-activemq-artemis<0:2.9.0-2.redhat_00009.1.el6ea
0:2.9.0-2.redhat_00009.1.el6ea
redhat/eap7-apache-commons-beanutils<0:1.9.4-1.redhat_00002.1.el6ea
0:1.9.4-1.redhat_00002.1.el6ea
redhat/eap7-glassfish-el<0:3.0.1-4.b08_redhat_00003.1.el6ea
0:3.0.1-4.b08_redhat_00003.1.el6ea
redhat/eap7-glassfish-jaxb<0:2.3.3-4.b02_redhat_00001.1.el6ea
0:2.3.3-4.b02_redhat_00001.1.el6ea
redhat/eap7-glassfish-jsf<0:2.3.5-7.SP3_redhat_00005.1.el6ea
0:2.3.5-7.SP3_redhat_00005.1.el6ea
redhat/eap7-hal-console<0:3.0.20-1.Final_redhat_00001.1.el6ea
0:3.0.20-1.Final_redhat_00001.1.el6ea
redhat/eap7-hibernate<0:5.3.15-1.Final_redhat_00001.1.el6ea
0:5.3.15-1.Final_redhat_00001.1.el6ea
redhat/eap7-infinispan<0:9.3.8-1.Final_redhat_00001.1.el6ea
0:9.3.8-1.Final_redhat_00001.1.el6ea
redhat/eap7-ironjacamar<0:1.4.20-1.Final_redhat_00001.1.el6ea
0:1.4.20-1.Final_redhat_00001.1.el6ea
redhat/eap7-jackson-databind<0:2.9.10.2-1.redhat_00001.1.el6ea
0:2.9.10.2-1.redhat_00001.1.el6ea
redhat/eap7-jaegertracing-jaeger-client-java<0:0.34.1-1.redhat_00002.1.el6ea
0:0.34.1-1.redhat_00002.1.el6ea
redhat/eap7-jboss-ejb-client<0:4.0.28-1.Final_redhat_00001.1.el6ea
0:4.0.28-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-remoting<0:5.0.17-1.Final_redhat_00001.1.el6ea
0:5.0.17-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-server-migration<0:1.3.1-8.Final_redhat_00009.1.el6ea
0:1.3.1-8.Final_redhat_00009.1.el6ea
redhat/eap7-picketlink-bindings<0:2.5.5-23.SP12_redhat_00012.1.el6ea
0:2.5.5-23.SP12_redhat_00012.1.el6ea
redhat/eap7-stax2-api<0:4.2.0-1.redhat_00001.1.el6ea
0:4.2.0-1.redhat_00001.1.el6ea
redhat/eap7-sun-istack-commons<0:3.0.10-1.redhat_00001.1.el6ea
0:3.0.10-1.redhat_00001.1.el6ea
redhat/eap7-thrift<0:0.13.0-1.redhat_00002.1.el6ea
0:0.13.0-1.redhat_00002.1.el6ea
redhat/eap7-wildfly<0:7.2.7-4.GA_redhat_00004.1.el6ea
0:7.2.7-4.GA_redhat_00004.1.el6ea
redhat/eap7-wildfly-http-client<0:1.0.20-1.Final_redhat_00001.1.el6ea
0:1.0.20-1.Final_redhat_00001.1.el6ea
redhat/eap7-wildfly-openssl<0:1.0.9-2.SP03_redhat_00001.1.el6ea
0:1.0.9-2.SP03_redhat_00001.1.el6ea
redhat/eap7-wildfly-transaction-client<0:1.1.9-1.Final_redhat_00001.1.el6ea
0:1.1.9-1.Final_redhat_00001.1.el6ea
redhat/eap7-woodstox-core<0:6.0.3-1.redhat_00001.1.el6ea
0:6.0.3-1.redhat_00001.1.el6ea
redhat/eap7-xml-security<0:2.1.4-1.redhat_00001.1.el6ea
0:2.1.4-1.redhat_00001.1.el6ea
redhat/eap7-netty<0:4.1.45-1.Final_redhat_00001.1.el7ea
0:4.1.45-1.Final_redhat_00001.1.el7ea
redhat/eap7-activemq-artemis<0:2.9.0-2.redhat_00009.1.el7ea
0:2.9.0-2.redhat_00009.1.el7ea
redhat/eap7-apache-commons-beanutils<0:1.9.4-1.redhat_00002.1.el7ea
0:1.9.4-1.redhat_00002.1.el7ea
redhat/eap7-glassfish-el<0:3.0.1-4.b08_redhat_00003.1.el7ea
0:3.0.1-4.b08_redhat_00003.1.el7ea
redhat/eap7-glassfish-jaxb<0:2.3.3-4.b02_redhat_00001.1.el7ea
0:2.3.3-4.b02_redhat_00001.1.el7ea
redhat/eap7-glassfish-jsf<0:2.3.5-7.SP3_redhat_00005.1.el7ea
0:2.3.5-7.SP3_redhat_00005.1.el7ea
redhat/eap7-hal-console<0:3.0.20-1.Final_redhat_00001.1.el7ea
0:3.0.20-1.Final_redhat_00001.1.el7ea
redhat/eap7-hibernate<0:5.3.15-1.Final_redhat_00001.1.el7ea
0:5.3.15-1.Final_redhat_00001.1.el7ea
redhat/eap7-infinispan<0:9.3.8-1.Final_redhat_00001.1.el7ea
0:9.3.8-1.Final_redhat_00001.1.el7ea
redhat/eap7-ironjacamar<0:1.4.20-1.Final_redhat_00001.1.el7ea
0:1.4.20-1.Final_redhat_00001.1.el7ea
redhat/eap7-jackson-databind<0:2.9.10.2-1.redhat_00001.1.el7ea
0:2.9.10.2-1.redhat_00001.1.el7ea
redhat/eap7-jaegertracing-jaeger-client-java<0:0.34.1-1.redhat_00002.1.el7ea
0:0.34.1-1.redhat_00002.1.el7ea
redhat/eap7-jboss-ejb-client<0:4.0.28-1.Final_redhat_00001.1.el7ea
0:4.0.28-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-remoting<0:5.0.17-1.Final_redhat_00001.1.el7ea
0:5.0.17-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-server-migration<0:1.3.1-8.Final_redhat_00009.1.el7ea
0:1.3.1-8.Final_redhat_00009.1.el7ea
redhat/eap7-picketlink-bindings<0:2.5.5-23.SP12_redhat_00012.1.el7ea
0:2.5.5-23.SP12_redhat_00012.1.el7ea
redhat/eap7-stax2-api<0:4.2.0-1.redhat_00001.1.el7ea
0:4.2.0-1.redhat_00001.1.el7ea
redhat/eap7-sun-istack-commons<0:3.0.10-1.redhat_00001.1.el7ea
0:3.0.10-1.redhat_00001.1.el7ea
redhat/eap7-thrift<0:0.13.0-1.redhat_00002.1.el7ea
0:0.13.0-1.redhat_00002.1.el7ea
redhat/eap7-wildfly<0:7.2.7-4.GA_redhat_00004.1.el7ea
0:7.2.7-4.GA_redhat_00004.1.el7ea
redhat/eap7-wildfly-http-client<0:1.0.20-1.Final_redhat_00001.1.el7ea
0:1.0.20-1.Final_redhat_00001.1.el7ea
redhat/eap7-wildfly-openssl<0:1.0.9-2.SP03_redhat_00001.1.el7ea
0:1.0.9-2.SP03_redhat_00001.1.el7ea
redhat/eap7-wildfly-transaction-client<0:1.1.9-1.Final_redhat_00001.1.el7ea
0:1.1.9-1.Final_redhat_00001.1.el7ea
redhat/eap7-woodstox-core<0:6.0.3-1.redhat_00001.1.el7ea
0:6.0.3-1.redhat_00001.1.el7ea
redhat/eap7-xml-security<0:2.1.4-1.redhat_00001.1.el7ea
0:2.1.4-1.redhat_00001.1.el7ea
redhat/eap7-netty<0:4.1.45-1.Final_redhat_00001.1.el8ea
0:4.1.45-1.Final_redhat_00001.1.el8ea
redhat/eap7-activemq-artemis<0:2.9.0-2.redhat_00009.1.el8ea
0:2.9.0-2.redhat_00009.1.el8ea
redhat/eap7-apache-commons-beanutils<0:1.9.4-1.redhat_00002.1.el8ea
0:1.9.4-1.redhat_00002.1.el8ea
redhat/eap7-glassfish-el<0:3.0.1-4.b08_redhat_00003.1.el8ea
0:3.0.1-4.b08_redhat_00003.1.el8ea
redhat/eap7-glassfish-jaxb<0:2.3.3-4.b02_redhat_00001.1.el8ea
0:2.3.3-4.b02_redhat_00001.1.el8ea
redhat/eap7-glassfish-jsf<0:2.3.5-7.SP3_redhat_00005.1.el8ea
0:2.3.5-7.SP3_redhat_00005.1.el8ea
redhat/eap7-hal-console<0:3.0.20-1.Final_redhat_00001.1.el8ea
0:3.0.20-1.Final_redhat_00001.1.el8ea
redhat/eap7-hibernate<0:5.3.15-1.Final_redhat_00001.1.el8ea
0:5.3.15-1.Final_redhat_00001.1.el8ea
redhat/eap7-infinispan<0:9.3.8-1.Final_redhat_00001.1.el8ea
0:9.3.8-1.Final_redhat_00001.1.el8ea
redhat/eap7-ironjacamar<0:1.4.20-1.Final_redhat_00001.1.el8ea
0:1.4.20-1.Final_redhat_00001.1.el8ea
redhat/eap7-jackson-databind<0:2.9.10.2-1.redhat_00001.1.el8ea
0:2.9.10.2-1.redhat_00001.1.el8ea
redhat/eap7-jaegertracing-jaeger-client-java<0:0.34.1-1.redhat_00002.1.el8ea
0:0.34.1-1.redhat_00002.1.el8ea
redhat/eap7-jboss-ejb-client<0:4.0.28-1.Final_redhat_00001.1.el8ea
0:4.0.28-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-remoting<0:5.0.17-1.Final_redhat_00001.1.el8ea
0:5.0.17-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-server-migration<0:1.3.1-8.Final_redhat_00009.1.el8ea
0:1.3.1-8.Final_redhat_00009.1.el8ea
redhat/eap7-picketlink-bindings<0:2.5.5-23.SP12_redhat_00012.1.el8ea
0:2.5.5-23.SP12_redhat_00012.1.el8ea
redhat/eap7-stax2-api<0:4.2.0-1.redhat_00001.1.el8ea
0:4.2.0-1.redhat_00001.1.el8ea
redhat/eap7-sun-istack-commons<0:3.0.10-1.redhat_00001.1.el8ea
0:3.0.10-1.redhat_00001.1.el8ea
redhat/eap7-thrift<0:0.13.0-1.redhat_00002.1.el8ea
0:0.13.0-1.redhat_00002.1.el8ea
redhat/eap7-wildfly<0:7.2.7-4.GA_redhat_00004.1.el8ea
0:7.2.7-4.GA_redhat_00004.1.el8ea
redhat/eap7-wildfly-http-client<0:1.0.20-1.Final_redhat_00001.1.el8ea
0:1.0.20-1.Final_redhat_00001.1.el8ea
redhat/eap7-wildfly-openssl<0:1.0.9-2.SP03_redhat_00001.1.el8ea
0:1.0.9-2.SP03_redhat_00001.1.el8ea
redhat/eap7-wildfly-transaction-client<0:1.1.9-1.Final_redhat_00001.1.el8ea
0:1.1.9-1.Final_redhat_00001.1.el8ea
redhat/eap7-woodstox-core<0:6.0.3-1.redhat_00001.1.el8ea
0:6.0.3-1.redhat_00001.1.el8ea
redhat/eap7-xml-security<0:2.1.4-1.redhat_00001.1.el8ea
0:2.1.4-1.redhat_00001.1.el8ea
debian/netty
1:4.1.48-4+deb11u2
1:4.1.48-7+deb12u1
1:4.1.48-10
redhat/netty<4.1.44
4.1.44
Netty Netty<4.1.44
Debian=8.0
Debian=9.0
Debian=10.0
Fedora=33
Ubuntu=18.04
All of
Any of
Red Hat JBoss AMQ Clients=2
redhat jboss enterprise application platform=7.2
redhat jboss enterprise application platform=7.3
Any of
Red Hat Enterprise Linux=6.0
Red Hat Enterprise Linux=7.0
Red Hat Enterprise Linux=8.0
Red Hat JBoss AMQ Clients=2
redhat jboss enterprise application platform=7.2
redhat jboss enterprise application platform=7.3
Red Hat Enterprise Linux=6.0
Red Hat Enterprise Linux=7.0
Red Hat Enterprise Linux=8.0
IBM Data Virtualization on Cloud Pak for Data<=3.0
IBM Watson Query with Cloud Pak for Data as a Service<=2.2
IBM Watson Query with Cloud Pak for Data as a Service<=2.1
IBM Watson Query with Cloud Pak for Data as a Service<=2.0
IBM Data Virtualization on Cloud Pak for Data<=1.8
IBM Data Virtualization on Cloud Pak for Data<=1.7

Remedy

https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final

Remedy

https://github.com/netty/netty/issues/9866

Remedy

* Use HTTP/2 instead (clear boundaries between requests) * Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2019-20444?

    CVE-2019-20444 has been rated as a medium severity vulnerability due to the potential for HTTP smuggling attacks.

  • How do I fix CVE-2019-20444?

    To fix CVE-2019-20444, update the affected Netty versions to 4.1.44 or later.

  • Which versions of Netty are affected by CVE-2019-20444?

    CVE-2019-20444 affects Netty versions prior to 4.1.44.

  • What type of vulnerability is CVE-2019-20444?

    CVE-2019-20444 is an HTTP smuggling vulnerability that can lead to header misinterpretation.

  • Is CVE-2019-20444 exploitable in production systems?

    Yes, CVE-2019-20444 can be exploited in production systems if they use the affected versions of Netty.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203