CVE-2019-20444
HTTP Request Smuggling vulnerability in netty-codec-http (Maven)
What is CVE-2019-20444 About?
HttpObjectDecoder.java in Netty before 4.1.44 allows HTTP headers that lack a colon, which can lead to misinterpretation as a separate header or an 'invalid fold'. This could potentially be used in HTTP Request Smuggling attacks. Exploitation complexity is moderate.
Affected Software
Technical Details
The vulnerability in HttpObjectDecoder.java in Netty versions prior to 4.1.44 allows for an HTTP header without a colon. According to HTTP specifications, headers must contain a colon separating the field name and value. Netty's parser, however, accepts such malformed headers. This can lead to two main issues: either the malformed header is interpreted as a separate header with an incorrect or missing field name, or it's incorrectly processed as an 'invalid fold' (a newline within a header line that is then treated as part of the previous line). In either case, this parsing discrepancy between Netty and other HTTP intermediaries (like proxies or load balancers) can be exploited for HTTP Request Smuggling, allowing attackers to bypass security controls, poison web caches, or access unauthorized content.
What is the Impact of CVE-2019-20444?
Successful exploitation may allow attackers to bypass security controls, poison web caches, or access unauthorized content through HTTP Request Smuggling attacks, potentially leading to data exposure or session hijacking.
What is the Exploitability of CVE-2019-20444?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to send specially crafted HTTP requests that leverage the parsing inconsistency between Netty and downstream HTTP components. This is a remote exploitation vector and typically does not require authentication or specific privileges, as it targets how HTTP requests are framed/parsed. Special conditions include Netty being used as a front-end server or proxy, or in a multi-component architecture where a differing HTTP parser is also in use. Risk factors include internet-facing applications and services using vulnerable Netty versions that are part of a larger HTTP processing chain, especially those involving proxies or load balancers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-20444?
Available Upgrade Options
- io.netty:netty-codec-http
- <4.1.44 → Upgrade to 4.1.44
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0805
- https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E
- https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5%40%3Cdev.zookeeper.apache.org%3E
- https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
What are Similar Vulnerabilities to CVE-2019-20444?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2021-3770 , CVE-2020-1927 , CVE-2020-1934 , CVE-2021-3778
