CVE-2019-20445
First published: Wed Jan 29 2020(Updated: )
A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.netty:netty | <4.0.0 | |
| maven/org.jboss.netty:netty | <4.0.0 | |
| maven/io.netty:netty-handler | >=4.0.0<4.1.45 | 4.1.45 |
| redhat/qpid-proton | <0:0.30.0-4.el6_10 | 0:0.30.0-4.el6_10 |
| redhat/qpid-proton | <0:0.30.0-2.el7 | 0:0.30.0-2.el7 |
| redhat/nodejs-rhea | <0:1.0.16-1.el8 | 0:1.0.16-1.el8 |
| redhat/qpid-proton | <0:0.30.0-3.el8 | 0:0.30.0-3.el8 |
| redhat/eap7-netty | <0:4.1.45-1.Final_redhat_00001.1.el6ea | 0:4.1.45-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-activemq-artemis | <0:2.9.0-2.redhat_00009.1.el6ea | 0:2.9.0-2.redhat_00009.1.el6ea |
| redhat/eap7-apache-commons-beanutils | <0:1.9.4-1.redhat_00002.1.el6ea | 0:1.9.4-1.redhat_00002.1.el6ea |
| redhat/eap7-glassfish-el | <0:3.0.1-4.b08_redhat_00003.1.el6ea | 0:3.0.1-4.b08_redhat_00003.1.el6ea |
| redhat/eap7-glassfish-jaxb | <0:2.3.3-4.b02_redhat_00001.1.el6ea | 0:2.3.3-4.b02_redhat_00001.1.el6ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-7.SP3_redhat_00005.1.el6ea | 0:2.3.5-7.SP3_redhat_00005.1.el6ea |
| redhat/eap7-hal-console | <0:3.0.20-1.Final_redhat_00001.1.el6ea | 0:3.0.20-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.15-1.Final_redhat_00001.1.el6ea | 0:5.3.15-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-infinispan | <0:9.3.8-1.Final_redhat_00001.1.el6ea | 0:9.3.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.4.20-1.Final_redhat_00001.1.el6ea | 0:1.4.20-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jackson-databind | <0:2.9.10.2-1.redhat_00001.1.el6ea | 0:2.9.10.2-1.redhat_00001.1.el6ea |
| redhat/eap7-jaegertracing-jaeger-client-java | <0:0.34.1-1.redhat_00002.1.el6ea | 0:0.34.1-1.redhat_00002.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.28-1.Final_redhat_00001.1.el6ea | 0:4.0.28-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-remoting | <0:5.0.17-1.Final_redhat_00001.1.el6ea | 0:5.0.17-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-8.Final_redhat_00009.1.el6ea | 0:1.3.1-8.Final_redhat_00009.1.el6ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-23.SP12_redhat_00012.1.el6ea | 0:2.5.5-23.SP12_redhat_00012.1.el6ea |
| redhat/eap7-stax2-api | <0:4.2.0-1.redhat_00001.1.el6ea | 0:4.2.0-1.redhat_00001.1.el6ea |
| redhat/eap7-sun-istack-commons | <0:3.0.10-1.redhat_00001.1.el6ea | 0:3.0.10-1.redhat_00001.1.el6ea |
| redhat/eap7-thrift | <0:0.13.0-1.redhat_00002.1.el6ea | 0:0.13.0-1.redhat_00002.1.el6ea |
| redhat/eap7-wildfly | <0:7.2.7-4.GA_redhat_00004.1.el6ea | 0:7.2.7-4.GA_redhat_00004.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.20-1.Final_redhat_00001.1.el6ea | 0:1.0.20-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-openssl | <0:1.0.9-2.SP03_redhat_00001.1.el6ea | 0:1.0.9-2.SP03_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.9-1.Final_redhat_00001.1.el6ea | 0:1.1.9-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-woodstox-core | <0:6.0.3-1.redhat_00001.1.el6ea | 0:6.0.3-1.redhat_00001.1.el6ea |
| redhat/eap7-xml-security | <0:2.1.4-1.redhat_00001.1.el6ea | 0:2.1.4-1.redhat_00001.1.el6ea |
| redhat/eap7-netty | <0:4.1.45-1.Final_redhat_00001.1.el7ea | 0:4.1.45-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-activemq-artemis | <0:2.9.0-2.redhat_00009.1.el7ea | 0:2.9.0-2.redhat_00009.1.el7ea |
| redhat/eap7-apache-commons-beanutils | <0:1.9.4-1.redhat_00002.1.el7ea | 0:1.9.4-1.redhat_00002.1.el7ea |
| redhat/eap7-glassfish-el | <0:3.0.1-4.b08_redhat_00003.1.el7ea | 0:3.0.1-4.b08_redhat_00003.1.el7ea |
| redhat/eap7-glassfish-jaxb | <0:2.3.3-4.b02_redhat_00001.1.el7ea | 0:2.3.3-4.b02_redhat_00001.1.el7ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-7.SP3_redhat_00005.1.el7ea | 0:2.3.5-7.SP3_redhat_00005.1.el7ea |
| redhat/eap7-hal-console | <0:3.0.20-1.Final_redhat_00001.1.el7ea | 0:3.0.20-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.15-1.Final_redhat_00001.1.el7ea | 0:5.3.15-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-infinispan | <0:9.3.8-1.Final_redhat_00001.1.el7ea | 0:9.3.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.4.20-1.Final_redhat_00001.1.el7ea | 0:1.4.20-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jackson-databind | <0:2.9.10.2-1.redhat_00001.1.el7ea | 0:2.9.10.2-1.redhat_00001.1.el7ea |
| redhat/eap7-jaegertracing-jaeger-client-java | <0:0.34.1-1.redhat_00002.1.el7ea | 0:0.34.1-1.redhat_00002.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.28-1.Final_redhat_00001.1.el7ea | 0:4.0.28-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-remoting | <0:5.0.17-1.Final_redhat_00001.1.el7ea | 0:5.0.17-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-8.Final_redhat_00009.1.el7ea | 0:1.3.1-8.Final_redhat_00009.1.el7ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-23.SP12_redhat_00012.1.el7ea | 0:2.5.5-23.SP12_redhat_00012.1.el7ea |
| redhat/eap7-stax2-api | <0:4.2.0-1.redhat_00001.1.el7ea | 0:4.2.0-1.redhat_00001.1.el7ea |
| redhat/eap7-sun-istack-commons | <0:3.0.10-1.redhat_00001.1.el7ea | 0:3.0.10-1.redhat_00001.1.el7ea |
| redhat/eap7-thrift | <0:0.13.0-1.redhat_00002.1.el7ea | 0:0.13.0-1.redhat_00002.1.el7ea |
| redhat/eap7-wildfly | <0:7.2.7-4.GA_redhat_00004.1.el7ea | 0:7.2.7-4.GA_redhat_00004.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.20-1.Final_redhat_00001.1.el7ea | 0:1.0.20-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-openssl | <0:1.0.9-2.SP03_redhat_00001.1.el7ea | 0:1.0.9-2.SP03_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.9-1.Final_redhat_00001.1.el7ea | 0:1.1.9-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-woodstox-core | <0:6.0.3-1.redhat_00001.1.el7ea | 0:6.0.3-1.redhat_00001.1.el7ea |
| redhat/eap7-xml-security | <0:2.1.4-1.redhat_00001.1.el7ea | 0:2.1.4-1.redhat_00001.1.el7ea |
| redhat/eap7-netty | <0:4.1.45-1.Final_redhat_00001.1.el8ea | 0:4.1.45-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-activemq-artemis | <0:2.9.0-2.redhat_00009.1.el8ea | 0:2.9.0-2.redhat_00009.1.el8ea |
| redhat/eap7-apache-commons-beanutils | <0:1.9.4-1.redhat_00002.1.el8ea | 0:1.9.4-1.redhat_00002.1.el8ea |
| redhat/eap7-glassfish-el | <0:3.0.1-4.b08_redhat_00003.1.el8ea | 0:3.0.1-4.b08_redhat_00003.1.el8ea |
| redhat/eap7-glassfish-jaxb | <0:2.3.3-4.b02_redhat_00001.1.el8ea | 0:2.3.3-4.b02_redhat_00001.1.el8ea |
| redhat/eap7-glassfish-jsf | <0:2.3.5-7.SP3_redhat_00005.1.el8ea | 0:2.3.5-7.SP3_redhat_00005.1.el8ea |
| redhat/eap7-hal-console | <0:3.0.20-1.Final_redhat_00001.1.el8ea | 0:3.0.20-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.15-1.Final_redhat_00001.1.el8ea | 0:5.3.15-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-infinispan | <0:9.3.8-1.Final_redhat_00001.1.el8ea | 0:9.3.8-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.4.20-1.Final_redhat_00001.1.el8ea | 0:1.4.20-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jackson-databind | <0:2.9.10.2-1.redhat_00001.1.el8ea | 0:2.9.10.2-1.redhat_00001.1.el8ea |
| redhat/eap7-jaegertracing-jaeger-client-java | <0:0.34.1-1.redhat_00002.1.el8ea | 0:0.34.1-1.redhat_00002.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.28-1.Final_redhat_00001.1.el8ea | 0:4.0.28-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-remoting | <0:5.0.17-1.Final_redhat_00001.1.el8ea | 0:5.0.17-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.3.1-8.Final_redhat_00009.1.el8ea | 0:1.3.1-8.Final_redhat_00009.1.el8ea |
| redhat/eap7-picketlink-bindings | <0:2.5.5-23.SP12_redhat_00012.1.el8ea | 0:2.5.5-23.SP12_redhat_00012.1.el8ea |
| redhat/eap7-stax2-api | <0:4.2.0-1.redhat_00001.1.el8ea | 0:4.2.0-1.redhat_00001.1.el8ea |
| redhat/eap7-sun-istack-commons | <0:3.0.10-1.redhat_00001.1.el8ea | 0:3.0.10-1.redhat_00001.1.el8ea |
| redhat/eap7-thrift | <0:0.13.0-1.redhat_00002.1.el8ea | 0:0.13.0-1.redhat_00002.1.el8ea |
| redhat/eap7-wildfly | <0:7.2.7-4.GA_redhat_00004.1.el8ea | 0:7.2.7-4.GA_redhat_00004.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.20-1.Final_redhat_00001.1.el8ea | 0:1.0.20-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-openssl | <0:1.0.9-2.SP03_redhat_00001.1.el8ea | 0:1.0.9-2.SP03_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.9-1.Final_redhat_00001.1.el8ea | 0:1.1.9-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-woodstox-core | <0:6.0.3-1.redhat_00001.1.el8ea | 0:6.0.3-1.redhat_00001.1.el8ea |
| redhat/eap7-xml-security | <0:2.1.4-1.redhat_00001.1.el8ea | 0:2.1.4-1.redhat_00001.1.el8ea |
| debian/netty | 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-10 | |
| redhat/netty | <4.1.44 | 4.1.44 |
| Netty Netty | <4.1.44 | |
| Debian GNU/Linux | =8.0 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| Fedoraproject Fedora | =33 | |
| Ubuntu Linux | =18.04 | |
| All of | ||
| Any of | ||
| Red Hat JBoss AMQ Clients | =2 | |
| redhat jboss enterprise application platform | =7.2 | |
| redhat jboss enterprise application platform | =7.3 | |
| Any of | ||
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Apache Spark | =2.4.7 | |
| Apache Spark | =2.4.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
| IBM Watson Query with Cloud Pak for Data | <=2.2 | |
| IBM Watson Query with Cloud Pak for Data | <=2.1 | |
| IBM Watson Query with Cloud Pak for Data | <=2.0 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.7 | |
| NettyRPC | <4.1.44 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Fedora | =33 | |
| Ubuntu | =18.04 | |
| Red Hat JBoss AMQ Clients | =2 | |
| JBoss Enterprise Application Platform | =7.2 | |
| JBoss Enterprise Application Platform | =7.3 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 |
Remedy
* Use HTTP/2 instead (clear boundaries between requests) * Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-20445
- https://github.com/netty/netty/issues/9861
- https://github.com/netty/netty/pull/9865
- https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
- https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0497
- https://access.redhat.com/errata/RHSA-2020:0567
- https://access.redhat.com/errata/RHSA-2020:0601
- https://access.redhat.com/errata/RHSA-2020:0605
- https://access.redhat.com/errata/RHSA-2020:0606
- https://access.redhat.com/errata/RHSA-2020:0804
- https://access.redhat.com/errata/RHSA-2020:0805
- https://access.redhat.com/errata/RHSA-2020:0806
- https://access.redhat.com/errata/RHSA-2020:0811
- https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E
- https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E
- https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E
- https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E
- https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
- https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
- https://usn.ubuntu.com/4532-1/
- https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
- https://www.debian.org/security/2021/dsa-4885
- https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E
- https://github.com/advisories/GHSA-p2v9-g2qv-p635 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2019-20445 https://nvd.nist.gov/vuln/detail/CVE-2019-20445
- https://bugzilla.redhat.com/show_bug.cgi?id=1798509
- https://access.redhat.com/errata/RHSA-2020:0922
- https://access.redhat.com/errata/RHSA-2020:1445
- https://access.redhat.com/errata/RHSA-2020:0939
- https://access.redhat.com/errata/RHSA-2020:3196
- https://access.redhat.com/errata/RHSA-2020:2321
- https://access.redhat.com/errata/RHSA-2020:2333
- https://access.redhat.com/errata/RHSA-2020:3192
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/errata/RHSA-2020:3197
- https://access.redhat.com/errata/RHSA-2020:0951
- https://access.redhat.com/security/cve/cve-2019-20445
- https://launchpad.net/bugs/cve/CVE-2019-20445
- https://github.com/netty/netty/commit/8494b046ec7e4f28dbd44bc699cc4c4c92251729
- https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706
- https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c
- https://security-tracker.debian.org/tracker/CVE-2019-20445
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45%40%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d%40%3Creviews.spark.apache.org%3E
- https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E
- https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E
- https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74%40%3Cissues.flume.apache.org%3E
- https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663%40%3Cissues.flume.apache.org%3E
- https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2%40%3Cissues.flume.apache.org%3E
- https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1798511
- https://access.redhat.com/security/cve/CVE-2019-16869
- https://github.com/elastic/elasticsearch/issues/49396
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2024:5856
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
- https://ubuntu.com/security/CVE-2019-20445
- https://www.ibm.com/support/pages/node/7183851 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-20445?
The CVE-2019-20445 vulnerability is considered high severity due to its potential to allow HTTP request smuggling attacks.
How do I fix CVE-2019-20445?
To resolve CVE-2019-20445, upgrade to Netty version 4.1.45 or later.
Which versions of Netty are affected by CVE-2019-20445?
Netty versions prior to 4.1.45 are affected by CVE-2019-20445.
What kind of attacks can CVE-2019-20445 facilitate?
CVE-2019-20445 can facilitate HTTP request smuggling attacks due to improper handling of multiple Content-Length headers.
Is there a workaround for CVE-2019-20445 until I can update?
There are no officially recommended workarounds for CVE-2019-20445; updating to a safe version is advised.
- collector/github-advisory-latest
- alias/GHSA-p2v9-g2qv-p635
- alias/CVE-2019-20445
- collector/github-advisory
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/remedy
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/maven
- package-manager/redhat
- package-manager/debian
- vendor/netty
- canonical/netty netty
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/18.04
- vendor/redhat
- canonical/red hat jboss amq clients
- version/red hat jboss amq clients/2
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/7.2
- version/redhat jboss enterprise application platform/7.3
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- vendor/apache
- canonical/apache spark
- version/apache spark/2.4.7
- version/apache spark/2.4.8
- vendor/ibm
- canonical/ibm data virtualization on cloud pak for data
- version/ibm data virtualization on cloud pak for data/3.0
- canonical/ibm watson query with cloud pak for data
- version/ibm watson query with cloud pak for data/2.2
- version/ibm watson query with cloud pak for data/2.1
- version/ibm watson query with cloud pak for data/2.0
- version/ibm data virtualization on cloud pak for data/1.8
- version/ibm data virtualization on cloud pak for data/1.7
- canonical/nettyrpc
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- canonical/fedora
- version/fedora/33
- canonical/ubuntu
- version/ubuntu/18.04
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/7.2
- version/jboss enterprise application platform/7.3