CVE-2021-43797: HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling

Published Dec 9, 2021
·
Updated

Impact

Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.

Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.

Other sources

A flaw was found in Netty, specifically in the netty-codec-http package. This flaw allows unauthorized control characters at the beginning and end of a request, does not follow the specification, and can cause HTTP request smuggling.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch.

Reference: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq

Upstream patch: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323

Red Hat

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Netty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding request header names. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

IBM

Affected Software

40 affected componentsFixes available
maven/io.netty:netty<4.0.0
maven/org.jboss.netty:netty<4.0.0
maven/io.netty:netty-codec-http>=4.0.0<4.1.71.Final
4.1.71.Final
redhat/eap7-netty<0:4.1.72-4.Final_redhat_00001.1.el8ea
0:4.1.72-4.Final_redhat_00001.1.el8ea
redhat/eap7-netty<0:4.1.72-4.Final_redhat_00001.1.el7ea
0:4.1.72-4.Final_redhat_00001.1.el7ea
redhat/candlepin<0:4.1.13-1.el7
0:4.1.13-1.el7
redhat/candlepin<0:4.1.13-1.el8
0:4.1.13-1.el8
redhat/rh-sso7-keycloak<0:15.0.8-1.redhat_00001.1.el7
0:15.0.8-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:15.0.8-1.redhat_00001.1.el8
0:15.0.8-1.redhat_00001.1.el8
redhat/rh-sso7-keycloak<0:18.0.3-1.redhat_00001.1.el7
0:18.0.3-1.redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:18.0.3-1.redhat_00001.1.el8
0:18.0.3-1.redhat_00001.1.el8
redhat/rh-sso7<0:1-5.el9
0:1-5.el9
redhat/rh-sso7-javapackages-tools<0:6.0.0-7.el9
0:6.0.0-7.el9
redhat/rh-sso7-keycloak<0:18.0.3-1.redhat_00001.1.el9
0:18.0.3-1.redhat_00001.1.el9
debian/netty
1:4.1.48-4+deb11u21:4.1.48-7+deb12u11:4.1.48-10
Netty Netty<4.1.71
Quarkus Quarkus<2.5.3
NetApp OnCommand Workflow Automation
NetApp Snapcenter
Oracle Banking Deposits And Lines Of Credit Servicing=2.7
Oracle Banking Party Management=2.7.0
Oracle Banking Platform=2.6.2
Oracle Coherence=12.2.1.4.0
Oracle Coherence=14.1.1.0.0
Oracle Communications Cloud Native Core Binding Support Function=1.11.0
Oracle Communications Cloud Native Core Network Slice Selection Function=1.8.0
Oracle Communications Cloud Native Core Policy=1.15.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy=1.7.0
Oracle Communications Cloud Native Core Unified Data Repository=1.15.0
Oracle Communications Design Studio=7.4.2
Oracle Communications Instant Messaging Server=8.1
Oracle Helidon=1.4.10
Oracle Helidon=2.4.0
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Debian Debian Linux=10.0
Debian Debian Linux=11.0
redhat/netty-codec-http<4.1.72.
4.1.72.
IBM Cognos Analytics<=11.2.0 - 11.2.2
IBM Cognos Analytics<=11.1.0 - 11.1.6 FP4

Remediation

Patch Available

https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Event History

Dec 9, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Advisory Published
07:09 PM
Data Sourced
09:51 PM
SeverityAffected Software
Dec 13, 2021
Data Sourced
via Red Hat·07:17 PM
DescriptionSeverityAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·12:01 AM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:35 AM
RemedyDescriptionSeverityAffected Software
Feb 23, 2026
Data Sourced
via IBM·11:32 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-43797?

CVE-2021-43797 is a vulnerability in the netty-codec-http package of Netty, allowing unauthorized access to control chars in the header name.

2

What is the severity of CVE-2021-43797?

CVE-2021-43797 has a high severity rating of 6.5.

3

How does CVE-2021-43797 impact Netty?

CVE-2021-43797 impacts Netty by enabling unauthorized access to control chars in the header name, potentially leading to security breaches.

4

What is the recommended version of netty-codec-http to fix CVE-2021-43797?

To fix CVE-2021-43797, it is recommended to update netty-codec-http to version 4.1.72 or higher.

5

Where can I find more information about CVE-2021-43797?

You can find more information about CVE-2021-43797 on the GitHub Security Advisory page at https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203