Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler
as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest
, HttpContent
, etc.) via Http2StreamFrameToHttpObjectCodec
and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec
or Http2FrameCodec
is used, Http2StreamFrameToHttpObjectCodec
is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler
that is put in the ChannelPipeline
behind Http2StreamFrameToHttpObjectCodec
.
{ "vanir_signatures": [ { "signature_type": "Function", "target": { "function": "setup", "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java" }, "digest": { "function_hash": "163131827113553283573844942889829219890", "length": 3367.0 }, "id": "CVE-2021-21295-076b3ec5", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Function", "target": { "function": "onDataRead", "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java" }, "digest": { "function_hash": "13121290283312984908769800193190709635", "length": 1776.0 }, "id": "CVE-2021-21295-216e269d", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Function", "target": { "function": "onHeadersRead", "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java" }, "digest": { "function_hash": "128044597731365074561874345448063835682", "length": 1745.0 }, "id": "CVE-2021-21295-4eedce72", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Line", "target": { "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java" }, "digest": { "line_hashes": [ "56801147450464915608998571466296945863", "305787734193413226865597980471825739760", "176320523147012450593030853993821327774", "328234067401346632819186893881124413590", "178909883660891606341138859683996519690", "117473473298518506572612753114190829377", "306524088069364581824744845396008845471", "117657372999695485907251383292519926534", "90095140119087404172067345192533290154", "304205579781524715678478014827083073728", "175791843801440861430177089523629387278", "88545892492473711316712938769548881976", "71410437774918518317867979898141400014", "10479739303966359378562229528357192268", "227908318583809173522812830450313273528", "320253033835078425890951820027553641654", "167637645316055634972802575172582973514", "201699643622103271051135051452302913307", "335659523283194323915172657828209262801", "217680393614924871033195702334336205272", "61315750306711228537583588486184248967", "133900362357527303460237906110176880081", "211645333342385333571813385344744813794", "46219337575958502899013754661525049534", "124269086603415208659607819358758503214", "330004896875272548683785211390276273849", "223894373512718001275955688513063374981", "104709013446280129249792480036482959307", "63277730938516402947096361918302154010", "326818812999830356969684829816190328475", "235303252092448803718369134685771971368", "102113664438365445319651651762671979029", "238884840896936821260275221957201547135", "50929174104698332345549418113424668182", "297831061452507531023591738340990418765", "305581139940413303909949211743152590001", "272289468428134422709572328812929650679", "18240670485617348217017990696544482939", "5161616558033022922717277269623311214", "19962446268599148731404030178213257047" ], "threshold": 0.9 }, "id": "CVE-2021-21295-a76263b7", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Function", "target": { "function": "readHeaders", "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java" }, "digest": { "function_hash": "136039075965439866115078610044858331213", "length": 2005.0 }, "id": "CVE-2021-21295-a9c4ad9d", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Function", "target": { "function": "DefaultHttp2ConnectionDecoder", "file": "codec-http2/src/main/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoder.java" }, "digest": { "function_hash": "9084650937557526153332955569107186263", "length": 762.0 }, "id": "CVE-2021-21295-aba17309", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Line", "target": { "file": "codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2ConnectionDecoderTest.java" }, "digest": { "line_hashes": [ "126344892869594928014044763305123625331", "87074137958240970938389127507030116076", "190907003409725621268836162597533271784", "16349625658632855229629297345956181671", "263391697929191456185666087747494324715", "336916350501142639771636661717585389262", "302205978192499199118830293330389027250", "123925897227127822382557495418897418418", "69894908558659461431779000122533191348", "3853748565542205885409537983304468450", "39395700946577790170576037310444002434", "306197664328722483981957097939818245176", "293149647761448423733898173348094430012", "26260724055893472957663343342004780214", "148560416443248551818340986676877237494", "68285722545211170465444984656998271118", "166465438176436264342148049123294004266", "316545207810442875339905924506419806583", "62964032188391783466358178842237132936", "281598869966825558931979861765142415609", "325023474999970616961394501424910823943" ], "threshold": 0.9 }, "id": "CVE-2021-21295-dca6c806", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Line", "target": { "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java" }, "digest": { "line_hashes": [ "164397687793919126235382670453790406125", "145113729578345138538789037881964768050", "245439652996296190444180521130132207242", "213414524208182422546049020380734385626", "254962056978756764886241622967337234349", "310352253922811771755203309566863156039", "317942778590860116440094703626850807135", "14291648473826393899311187209913117543", "64031734714818190934801921273335133522", "291122773435198562375316743309903221812", "251844405650014314219319891077685940750", "170408057795286915143819984119014287317", "142864601630603117362517797545603901407", "275853528944319188776588937526294529797", "214785981059220793922361684158690628085", "151900491808285659094273936863652390687", "65528626281378921832933716922633210756", "264779714317578818787512444478284950345", "214482292268366476038742898540697200546", "184265540816685878914732024960009028313", "104050348910002138347870741001997459839", "214159995791178535385466432015784882617", "67629897710851728596128133578550349496", "70518487440308753413412217038549562636", "205518209126584430943038427760694954857", "1701292401270369422684318588660195476", "61446602767138634013576343845334059744", "330401013916243809353447802369666586028", "70752595030837459442815352221321875452", "12416604800241386987751795228893204740", "42871084117433635731663370747703421593", "146667816185960961753749311893918699035" ], "threshold": 0.9 }, "id": "CVE-2021-21295-e06a9d85", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "signature_type": "Line", "target": { "file": "codec-http/src/main/java/io/netty/handler/codec/http/HttpUtil.java" }, "digest": { "line_hashes": [ "260905483037379100448616532127950713170", "155881490674833820368238073283249505901", "245912528762103197135989277749650384584", "249085615949756701494769549826034618887", "203156711581673838062272706559020996798", "130117003699404404611541727559836666176", "14919518235588270136619744552154121517", "312811872835529731788902708862002934525", "292991496705391134366628779717611022012", "312649191103442262961422826374096300794", "237207830113709018856736220745747906307", "279379860327261942888738829983651561825" ], "threshold": 0.9 }, "id": "CVE-2021-21295-f8c8dec9", "signature_version": "v1", "deprecated": false, "source": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" } ] }