CVE-2021-43797: XSS
First published: Thu Dec 09 2021(Updated: )
### Impact Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-netty | <0:4.1.72-4.Final_redhat_00001.1.el8ea | 0:4.1.72-4.Final_redhat_00001.1.el8ea |
| redhat/eap7-netty | <0:4.1.72-4.Final_redhat_00001.1.el7ea | 0:4.1.72-4.Final_redhat_00001.1.el7ea |
| redhat/candlepin | <0:4.1.13-1.el7 | 0:4.1.13-1.el7 |
| redhat/candlepin | <0:4.1.13-1.el8 | 0:4.1.13-1.el8 |
| redhat/rh-sso7-keycloak | <0:15.0.8-1.redhat_00001.1.el7 | 0:15.0.8-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:15.0.8-1.redhat_00001.1.el8 | 0:15.0.8-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.3-1.redhat_00001.1.el7 | 0:18.0.3-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.3-1.redhat_00001.1.el8 | 0:18.0.3-1.redhat_00001.1.el8 |
| redhat/rh-sso7 | <0:1-5.el9 | 0:1-5.el9 |
| redhat/rh-sso7-javapackages-tools | <0:6.0.0-7.el9 | 0:6.0.0-7.el9 |
| redhat/rh-sso7-keycloak | <0:18.0.3-1.redhat_00001.1.el9 | 0:18.0.3-1.redhat_00001.1.el9 |
| ubuntu/netty | <1:4.1.7-4ubuntu0.1+ | 1:4.1.7-4ubuntu0.1+ |
| ubuntu/netty | <1:4.1.45-1ubuntu0.1~ | 1:4.1.45-1ubuntu0.1~ |
| ubuntu/netty | <1:4.0.34-1ubuntu0.1~ | 1:4.0.34-1ubuntu0.1~ |
| ubuntu/netty | <1:4.1.48-4+ | 1:4.1.48-4+ |
| ubuntu/netty | <1:4.1.48-5ubuntu0.1 | 1:4.1.48-5ubuntu0.1 |
| maven/io.netty:netty | <4.0.0 | |
| maven/org.jboss.netty:netty | <4.0.0 | |
| maven/io.netty:netty-codec-http | >=4.0.0<4.1.71.Final | 4.1.71.Final |
| <4.1.71 | ||
| <2.5.3 | ||
| =2.7 | ||
| =2.7.0 | ||
| =2.6.2 | ||
| =12.2.1.4.0 | ||
| =14.1.1.0.0 | ||
| =1.11.0 | ||
| =1.8.0 | ||
| =1.15.0 | ||
| =1.7.0 | ||
| =1.15.0 | ||
| =7.4.2 | ||
| =8.1 | ||
| =1.4.10 | ||
| =2.4.0 | ||
| =8.58 | ||
| =8.59 | ||
| =10.0 | ||
| =11.0 | ||
| Netty Netty | <4.1.71 | |
| Quarkus Quarkus | <2.5.3 | |
| NetApp OnCommand Workflow Automation | ||
| Netapp Snapcenter | ||
| Oracle Banking Deposits And Lines Of Credit Servicing | =2.7 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Banking Platform | =2.6.2 | |
| Oracle Coherence | =12.2.1.4.0 | |
| Oracle Coherence | =14.1.1.0.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =1.11.0 | |
| Oracle Communications Cloud Native Core Network Slice Selection Function | =1.8.0 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| VMware Spring Cloud Gateway | =1.7.0 | |
| Oracle Communications Cloud Native Core Unified Data Repository | =1.15.0 | |
| Oracle Communications Design Studio | =7.4.2 | |
| Oracle Communications Instant Messaging Server | =8.1 | |
| Oracle Helidon | =1.4.10 | |
| Oracle Helidon | =2.4.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| IBM Cognos Analytics 11.2.x | <=IBM Cognos Analytics 11.2.x | |
| IBM Cognos Analytics 11.1.x | <=IBM Cognos Analytics 11.1.x | |
| debian/netty | <=1:4.1.33-1+deb10u2 | 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u1 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-43797
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43797
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
- https://salsa.debian.org/java-team/netty/-/commit/5406c2524b94d1268459607b284b2a8c366fae53
- https://security-tracker.debian.org/tracker/CVE-2021-37136
- https://security-tracker.debian.org/tracker/CVE-2021-37137
- https://security-tracker.debian.org/tracker/CVE-2022-41881
- https://security-tracker.debian.org/tracker/CVE-2022-41915
- https://bugs.debian.org/1001437
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001437
- https://nvd.nist.gov/vuln/detail/CVE-2021-43797
- https://github.com/netty/netty/pull/11891
- https://security.netapp.com/advisory/ntap-20220107-0003/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
- https://www.debian.org/security/2023/dsa-5316
- https://github.com/advisories/GHSA-wx5j-54mm-rqqq (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/215118
- https://www.ibm.com/support/pages/node/6615285 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2021-43797
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2031959
- https://access.redhat.com/errata/RHSA-2022:0520
- https://access.redhat.com/security/cve/cve-2021-43797
- https://access.redhat.com/errata/RHSA-2022:1345
- https://access.redhat.com/errata/RHSA-2022:2216
- https://access.redhat.com/errata/RHSA-2022:2218
- https://access.redhat.com/errata/RHSA-2022:2217
- https://access.redhat.com/errata/RHSA-2022:4623
- https://access.redhat.com/errata/RHSA-2022:4922
- https://access.redhat.com/errata/RHSA-2022:4918
- https://access.redhat.com/errata/RHSA-2022:4919
- https://access.redhat.com/errata/RHSA-2022:5101
- https://access.redhat.com/errata/RHSA-2022:5498
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5903
- https://access.redhat.com/errata/RHSA-2022:6782
- https://access.redhat.com/errata/RHSA-2022:6783
- https://access.redhat.com/errata/RHSA-2022:6787
- https://access.redhat.com/errata/RHSA-2022:7410
- https://access.redhat.com/errata/RHSA-2022:7409
- https://access.redhat.com/errata/RHSA-2022:7411
- https://access.redhat.com/errata/RHSA-2022:7417
- https://bugzilla.redhat.com/show_bug.cgi?id=2031958
- https://www.cve.org/CVERecord?id=CVE-2021-43797 https://nvd.nist.gov/vuln/detail/CVE-2021-43797 https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 (netty-4.1.71.Final)
- https://ubuntu.com/security/notices/USN-6049-1
- https://ubuntu.com/security/CVE-2021-43797
Parent vulnerabilities
(Appears in the following advisories)
- IBM-6615285
- RHSA-2022:2216
- RHSA-2022:2218
- RHSA-2022:2217
- RHSA-2022:5101
- RHSA-2022:4623
- RHSA-2022:0520
- RHSA-2022:1345
- RHSA-2022:4922
- RHSA-2022:4919
- RHSA-2022:4918
- RHSA-2022:5532
- RHSA-2022:5903
- RHSA-2022:5498
- RHSA-2022:6787
- RHSA-2022:7417
- RHSA-2022:6782
- RHSA-2022:6783
- RHSA-2022:7409
- RHSA-2022:7410
- RHSA-2022:7411
- USN-6049-1
Frequently Asked Questions
What is CVE-2021-43797?
CVE-2021-43797 is a vulnerability in the netty-codec-http package of Netty, allowing unauthorized access to control chars in the header name.
What is the severity of CVE-2021-43797?
CVE-2021-43797 has a high severity rating of 6.5.
How does CVE-2021-43797 impact Netty?
CVE-2021-43797 impacts Netty by enabling unauthorized access to control chars in the header name, potentially leading to security breaches.
What is the recommended version of netty-codec-http to fix CVE-2021-43797?
To fix CVE-2021-43797, it is recommended to update netty-codec-http to version 4.1.72 or higher.
Where can I find more information about CVE-2021-43797?
You can find more information about CVE-2021-43797 on the GitHub Security Advisory page at https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/debian-bugs
- alias/CVE-2021-43797
- collector/github-advisory
- alias/GHSA-wx5j-54mm-rqqq
- collector/github-advisory-latest
- collector/ibm-support
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos analytics 11.2.x
- version/ibm cognos analytics 11.2.x/ibm cognos analytics 11.2.x
- canonical/ibm cognos analytics 11.1.x
- version/ibm cognos analytics 11.1.x/ibm cognos analytics 11.1.x
- vendor/netty
- canonical/netty netty
- vendor/quarkus
- canonical/quarkus quarkus
- vendor/netapp
- canonical/netapp oncommand workflow automation
- canonical/netapp snapcenter
- vendor/oracle
- canonical/oracle banking deposits and lines of credit servicing
- version/oracle banking deposits and lines of credit servicing/2.7
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle banking platform
- version/oracle banking platform/2.6.2
- canonical/oracle coherence
- version/oracle coherence/12.2.1.4.0
- version/oracle coherence/14.1.1.0.0
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/1.11.0
- canonical/oracle communications cloud native core network slice selection function
- version/oracle communications cloud native core network slice selection function/1.8.0
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/vmware spring cloud gateway
- version/vmware spring cloud gateway/1.7.0
- canonical/oracle communications cloud native core unified data repository
- version/oracle communications cloud native core unified data repository/1.15.0
- canonical/oracle communications design studio
- version/oracle communications design studio/7.4.2
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/8.1
- canonical/oracle helidon
- version/oracle helidon/1.4.10
- version/oracle helidon/2.4.0
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu