CVE-2021-43797
HTTP Request Smuggling vulnerability in netty-codec-http (Maven)
What is CVE-2021-43797 About?
Netty is vulnerable to HTTP Request Smuggling due to improper handling and skipping of control characters in header names. This flaw can allow attackers to bypass security controls by manipulating how proxies and backend servers interpret requests. Exploitation involves crafting specific HTTP requests that exploit the discrepancy in header parsing.
Affected Software
Technical Details
The vulnerability in Netty arises because it 'sanitizes' HTTP header names by silently skipping control characters (\x00-\x1F, \x7F) when they are present at the beginning or end of a header name, instead of rejecting the request as invalid. This behavior deviates from HTTP specifications. When Netty acts as a proxy and forwards such sanitized headers to a backend system, the backend might parse the header in a different, stricter way, seeing different HTTP requests than what Netty saw. This discrepancy can allow an attacker to 'smuggle' hidden requests, bypass security mechanisms like firewalls or Web Application Firewalls (WAFs), and potentially access or manipulate internal resources. The attack relies on the differing interpretations of the HTTP request header by the proxy (Netty) and the target server.
What is the Impact of CVE-2021-43797?
Successful exploitation may allow attackers to bypass security controls, access unauthorized resources, or manipulate application logic through HTTP Request Smuggling.
What is the Exploitability of CVE-2021-43797?
Exploitation requires an attacker to be able to send specially crafted HTTP requests to a Netty-based proxy that then forwards them to a backend server. The complexity is high, as it requires a precise understanding of how Netty processes headers and how the backend server interprets them differently. Authentication is not typically required, as this attack often targets unauthenticated request paths (e.g., initial web server entry points). Privilege requirements are low to none. This is a remote vulnerability. Special conditions include an architecture where Netty is used as a proxy or gateway in front of another HTTP server that has a different parsing logic for invalid characters in HTTP headers. The likelihood of exploitation is increased if the network architecture is complex and involves multiple layers of proxies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43797?
Available Upgrade Options
- io.netty:netty-codec-http
- >4.0.0, <4.1.71.Final → Upgrade to 4.1.71.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20220107-0003
- https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
- https://github.com/netty/netty/pull/11891
- https://nvd.nist.gov/vuln/detail/CVE-2021-43797
- https://www.debian.org/security/2023/dsa-5316
- https://github.com/netty/netty
- https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
What are Similar Vulnerabilities to CVE-2021-43797?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-38545 , CVE-2021-2792 , CVE-2021-23009 , CVE-2021-43818
