CVE-2019-20445
Header Parsing vulnerability in netty-handler (Maven)
What is CVE-2019-20445 About?
This vulnerability in Netty allows malformed HTTP headers where a Content-Length header can be accompanied by another Content-Length or a Transfer-Encoding header. This could lead to request smuggling or bypasses, posing a moderate impact. Exploitation would likely involve crafting specific HTTP requests, which could be relatively easy for an attacker.
Affected Software
Technical Details
The vulnerability exists in Netty's HttpObjectDecoder.java in versions prior to 4.1.44. Specifically, the decoder leniently handles HTTP request or response headers such that it permits a Content-Length header to be present alongside a second Content-Length header, or alongside a Transfer-Encoding header. This violates HTTP specifications which dictate that these headers, especially when combined or duplicated, should be treated with strict parsing rules to prevent ambiguity. This misinterpretation can lead to desynchronization between front-end and back-end servers, enabling HTTP request smuggling attacks or other header-based bypasses.
What is the Impact of CVE-2019-20445?
Successful exploitation may allow attackers to bypass security controls, inject arbitrary data, or achieve request smuggling, potentially leading to unauthorized access to information or services.
What is the Exploitability of CVE-2019-20445?
Exploitation primarily involves crafting malformed HTTP requests, which is generally a low-complexity task. No specific authentication or privilege requirements are mentioned, suggesting unauthenticated remote access is possible. The main prerequisite is that the vulnerable Netty version is in use and processing HTTP messages. There are no special conditions or constraints beyond the structure of the HTTP headers. The likelihood of exploitation increases if the application uses Netty in a deployment where HTTP request smuggling could yield significant results, such as behind reverse proxies or load balancers that may interpret malformed headers differently than the backend application.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-20445?
Available Upgrade Options
- io.netty:netty-handler
- >4.0.0, <4.1.45 → Upgrade to 4.1.45
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
- https://access.redhat.com/errata/RHSA-2020:0805
- https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E
- https://github.com/netty/netty/issues/9861
- https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-20445?
Similar Vulnerabilities: CVE-2021-38297 , CVE-2023-38545 , CVE-2023-45803 , CVE-2019-17567 , CVE-2020-13956
