CVE-2021-21295: Possible request smuggling in HTTP/2 due missing validation

First published: Tue Mar 09 2021(Updated: )

### Impact If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like: ``` POST / HTTP/2 :authority:: externaldomain.com Content-Length: 4 asdfGET /evilRedirect HTTP/1.1 Host: internaldomain.com ``` Users are only affected if all of this is `true`: * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects * These HTTP/1.1 objects are forwarded to another remote peer. ### Patches This has been patched in 4.1.60.Final ### Workarounds The user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. ### References Related change to workaround the problem: https://github.com/Netflix/zuul/pull/980

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-wm47-8v5p-wjpj
• alias/CVE-2021-21295
• collector/github-advisory
• collector/redhat-cve
• collector/nvd-index
• agent/type
• agent/first-publish-date
• collector/launchpad-cve
• source/Launchpad
• agent/remedy
• agent/author
• collector/nvd-cve
• source/NVD
• agent/software-canonical-lookup
• collector/redhat-bugzilla
• source/Red Hat
• agent/severity
• agent/references
• agent/weakness
• agent/description
• collector/ibm-support
• source/IBM
• agent/software-canonical-lookup-request
• collector/security-tracker-debian
• source/Debian
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/title
• agent/last-modified-date
• agent/event
• agent/tags
• collector/usn-cve
• source/Ubuntu
• package-manager/maven
• package-manager/redhat
• vendor/netty
• canonical/netty netty
• vendor/netapp
• canonical/netapp oncommand api services
• canonical/netapp oncommand workflow automation
• vendor/debian
• canonical/debian debian linux
• version/debian debian linux/10.0
• vendor/quarkus
• canonical/quarkus quarkus
• version/quarkus quarkus/1.13.7
• vendor/apache
• canonical/apache kudu
• canonical/apache zookeeper
• version/apache zookeeper/3.5.9
• vendor/oracle
• canonical/oracle communications cloud native core policy
• version/oracle communications cloud native core policy/1.14.0
• vendor/ibm
• canonical/ibm ibm® db2® on cloud pak for data and db2 warehouse on cloud pak for data
• version/ibm ibm® db2® on cloud pak for data and db2 warehouse on cloud pak for data/v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4
• package-manager/debian