CVE-2021-21409

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 30-03-2021 05:15

Last modified: - 12-05-2022 04:35

Total changes: - 32

Description

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

High

Attack complexity

Network

Attack vector

None

Availability

None

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

5.9

Base score

2.2

3.6

Exploitability score

Impact score

Verification logic

vendor=netty AND product=netty AND versionEndExcluding=4.1.61

vendor=Debian AND product=debian_linux AND version=10.0

vendor=netapp AND product=oncommand_workflow_automation AND version=-

vendor=netapp AND product=oncommand_api_services AND version=-

vendor=oracle AND product=coherence AND version=12.2.1.4.0

vendor=oracle AND product=coherence AND version=14.1.1.0.0

vendor=oracle AND product=banking_trade_finance_process_management AND version=14.3.0

vendor=oracle AND product=banking_credit_facilities_process_management AND version=14.3.0

vendor=oracle AND product=banking_corporate_lending_process_management AND version=14.3.0

vendor=oracle AND product=primavera_gateway AND versionEndIncluding=19.12.10 AND versionStartIncluding=19.12.0

vendor=oracle AND product=primavera_gateway AND versionEndIncluding=18.8.11 AND versionStartIncluding=18.8.0

vendor=oracle AND product=primavera_gateway AND versionEndIncluding=17.12.11 AND versionStartIncluding=17.12.0

vendor=oracle AND product=banking_trade_finance_process_management AND version=14.5.0

vendor=oracle AND product=banking_credit_facilities_process_management AND version=14.2.0

vendor=oracle AND product=banking_corporate_lending_process_management AND version=14.2.0

vendor=oracle AND product=banking_corporate_lending_process_management AND version=14.5.0

vendor=oracle AND product=banking_credit_facilities_process_management AND version=14.5.0

vendor=oracle AND product=banking_trade_finance_process_management AND version=14.2.0

vendor=oracle AND product=communications_brm_-_elastic_charging_engine AND version=12.0.0.3

vendor=oracle AND product=communications_cloud_native_core_console AND version=1.7.0

vendor=oracle AND product=communications_cloud_native_core_policy AND version=1.14.0

vendor=oracle AND product=communications_design_studio AND version=7.4.2.0.0

vendor=oracle AND product=communications_messaging_server AND version=8.1

vendor=oracle AND product=helidon AND version=1.4.10

vendor=oracle AND product=helidon AND version=2.4.0

vendor=oracle AND product=jd_edwards_enterpriseone_tools AND versionEndExcluding=9.2.6.3

vendor=oracle AND product=nosql_database AND versionEndExcluding=21.1.12

vendor=quarkus AND product=quarkus AND versionEndIncluding=1.13.7

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
DSA-4885-Third Party Advisory
[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409-Mailing List, Third Party Advisory
[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409-Mailing List, Third Party Advisory
[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409-Mailing List, Third Party Advisory
[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher-Third Party Advisory
[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5-Mailing List, Third Party Advisory
[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5-Mailing List, Third Party Advisory
[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5-Mailing List, Third Party Advisory
[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5-Mailing List, Third Party Advisory
[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5-Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210604-0003/
[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx-Mailing List, Third Party Advisory
N/A-Patch, Third Party Advisory
[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60-Mailing List, Third Party Advisory
[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60-Mailing List, Third Party Advisory
[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60-Mailing List, Third Party Advisory
[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60-Mailing List, Third Party Advisory
[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60-Mailing List, Third Party Advisory
[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409-Mailing List, Third Party Advisory
[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409-Mailing List, Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2021-21409

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-21409

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures