GHSA-wm47-8v5p-wjpj

Source

https://github.com/advisories/GHSA-wm47-8v5p-wjpj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json

Aliases

Published

2021-03-09T18:49:49Z

Modified

2024-03-11T05:16:16.380610Z

Details

Impact

If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodecand then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.

In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.

An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:

POST / HTTP/2
:authority:: externaldomain.com
Content-Length: 4

asdfGET /evilRedirect HTTP/1.1
Host: internaldomain.com

Users are only affected if all of this is true: * HTTP2MultiplexCodec or Http2FrameCodec is used * Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects * These HTTP/1.1 objects are forwarded to another remote peer.

Patches

This has been patched in 4.1.60.Final

Workarounds

The user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

References

Related change to workaround the problem: https://github.com/Netflix/zuul/pull/980

References

Affected packages

Maven / io.netty:netty-codec-http2

Package

Name: io.netty:netty-codec-http2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.60.Final

Affected versions

4.*

4.1.0.Beta4

4.1.0.Beta5

4.1.0.Beta6

4.1.0.Beta7

4.1.0.Beta8

4.1.0.CR1

4.1.0.CR2

4.1.0.CR3

4.1.0.CR4

4.1.0.CR5

4.1.0.CR6

4.1.0.CR7

4.1.0.Final

4.1.1.Final

4.1.2.Final

4.1.3.Final

4.1.4.Final

4.1.5.Final

4.1.6.Final

4.1.7.Final

4.1.8.Final

4.1.9.Final

4.1.10.Final

4.1.11.Final

4.1.12.Final

4.1.13.Final

4.1.14.Final

4.1.15.Final

4.1.16.Final

4.1.17.Final

4.1.18.Final

4.1.19.Final

4.1.20.Final

4.1.21.Final

4.1.22.Final

4.1.23.Final

4.1.24.Final

4.1.25.Final

4.1.26.Final

4.1.27.Final

4.1.28.Final

4.1.29.Final

4.1.30.Final

4.1.31.Final

4.1.32.Final

4.1.33.Final

4.1.34.Final

4.1.35.Final

4.1.36.Final

4.1.37.Final

4.1.38.Final

4.1.39.Final

4.1.40.Final

4.1.41.Final

4.1.42.Final

4.1.43.Final

4.1.44.Final

4.1.45.Final

4.1.46.Final

4.1.47.Final

4.1.48.Final

4.1.49.Final

4.1.50.Final

4.1.51.Final

4.1.52.Final

4.1.53.Final

4.1.54.Final

4.1.55.Final

4.1.56.Final

4.1.57.Final

4.1.58.Final

4.1.59.Final

Maven / org.jboss.netty:netty

Package

Name: org.jboss.netty:netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Affected versions

3.*

3.0.0.CR1

3.0.0.CR2

3.0.0.CR3

3.0.0.CR4

3.0.0.CR5

3.0.0.GA

3.0.1.GA

3.0.2.GA

3.1.0.ALPHA1

3.1.0.ALPHA2

3.1.0.ALPHA3

3.1.0.ALPHA4

3.1.0.BETA1

3.1.0.BETA2

3.1.0.BETA3

3.1.0.CR1

3.1.0.GA

3.1.1.GA

3.1.2.GA

3.1.3.GA

3.1.4.GA

3.1.5.GA

3.2.0.ALPHA1

3.2.0.ALPHA2

3.2.0.ALPHA3

3.2.0.ALPHA4

3.2.0.BETA1

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.2.2.Final

3.2.3.Final

3.2.4.Final

3.2.5.Final

3.2.6.Final

3.2.7.Final

3.2.8.Final

3.2.9.Final

3.2.10.Final

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}

Maven / io.netty:netty

Package

Name: io.netty:netty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Affected versions

3.*

3.3.0.Final

3.3.1.Final

3.4.0.Alpha1

3.4.0.Alpha2

3.4.0.Beta1

3.4.0.Final

3.4.1.Final

3.4.2.Final

3.4.3.Final

3.4.4.Final

3.4.5.Final

3.4.6.Final

3.5.0.Beta1

3.5.0.Final

3.5.1.Final

3.5.2.Final

3.5.3.Final

3.5.4.Final

3.5.5.Final

3.5.6.Final

3.5.7.Final

3.5.8.Final

3.5.9.Final

3.5.10.Final

3.5.11.Final

3.5.12.Final

3.5.13.Final

3.6.0.Beta1

3.6.0.Final

3.6.1.Final

3.6.2.Final

3.6.3.Final

3.6.4.Final

3.6.5.Final

3.6.6.Final

3.6.7.Final

3.6.8.Final

3.6.9.Final

3.6.10.Final

3.7.0.Final

3.7.1.Final

3.8.0.Final

3.8.1.Final

3.8.2.Final

3.8.3.Final

3.9.0.Final

3.9.1.Final

3.9.1.1.Final

3.9.2.Final

3.9.3.Final

3.9.4.Final

3.9.5.Final

3.9.6.Final

3.9.7.Final

3.9.8.Final

3.9.9.Final

3.10.0.Final

3.10.1.Final

3.10.2.Final

3.10.3.Final

3.10.4.Final

3.10.5.Final

3.10.6.Final

4.*

4.0.0.Alpha1

4.0.0.Alpha2

4.0.0.Alpha3

4.0.0.Alpha4

4.0.0.Alpha5

4.0.0.Alpha6

4.0.0.Alpha7

4.0.0.Alpha8

Database specific

{
    "last_known_affected_version_range": "< 4.0.0"
}