CVE-2021-21295 : What You Need to Know

This article discusses a critical vulnerability in Netty's

netty-codec-http2

library before version 4.1.60.Final that enables request smuggling, potentially leading to security breaches.

Understanding CVE-2021-21295

Netty is an open-source, asynchronous event-driven network application framework used for developing high-performance protocol servers and clients. The vulnerability in the

netty-codec-http2

library could allow attackers to smuggle requests under specific circumstances.

What is CVE-2021-21295?

The vulnerability arises when the Content-Length header in an original HTTP/2 request is not validated properly, leading to potential request smuggling when the request is proxied through as HTTP/1.1. Attackers can exploit this by downgrading the request to HTTP/1.1 and smuggling malicious requests.

The Impact of CVE-2021-21295

The impact of this vulnerability is rated as MEDIUM severity with a base score of 5.9 using CVSS v3.1. It has a potential high impact on integrity but does not affect confidentiality or availability.

Technical Details of CVE-2021-21295

The vulnerability could affect users who utilize Netty versions before 4.1.60.Final and employ specific components like

HTTP2MultiplexCodec

,

Http2FrameCodec

, and

Http2StreamFrameToHttpObjectCodec

. A detailed description and impact metrics are available.

Vulnerability Description

The vulnerability enables request smuggling in HTTP/2 requests due to missing validation of Content-Length header in HTTP/1.1 proxies.

Affected Systems and Versions

Netty versions prior to 4.1.60.Final that utilize

io.netty:netty-codec-http2

are vulnerable.

Exploitation Mechanism

Attackers can smuggle requests by exploiting the lack of proper validation for the Content-Length header, especially when downgrading requests from HTTP/2 to HTTP/1.1.

Mitigation and Prevention

Users are strongly advised to update Netty to version 4.1.60.Final or newer. Implementing custom validation using

ChannelInboundHandler

behind

Http2StreamFrameToHttpObjectCodec

can also mitigate the vulnerability.

Immediate Steps to Take

Update Netty to version 4.1.60.Final or above and ensure proper validation of the Content-Length header in proxy scenarios.

Long-Term Security Practices

Regularly monitor Netty security advisories, apply security patches promptly, and follow secure coding practices to minimize security risks.

Patching and Updates

Refer to the official Netty repository for the latest patches and updates to address CVE-2021-21295 and other security vulnerabilities.