[FOLIO-2368] Netty HTTP request smuggling security vulnerability CVE-2019-16869 Created: 28/Nov/19  Updated: 10/Aug/20  Resolved: 15/Jun/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
is blocked by RMB-529 Vert.x 3.8.4 fixing Netty HTTP reques... Closed
is blocked by OKAPI-779 Upgrade to Vert.x 3.8.4 Closed
Sprint: DevOps: Sprint 95
Development Team: Core: Platform

 Description   

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

CVSS 3.x Severity and Metrics:
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

https://nvd.nist.gov/vuln/detail/CVE-2019-16869

Fix: Update Netty to 4.1.42.Final

Vert.x below 3.8.3 uses Netty 4.1.39.Final and is affected.
Vert.x 3.8.3 upgraded to Netty 4.1.42.Final: https://github.com/vert-x3/wiki/wiki/3.8.3-Release-Notes

Okapi below 2.34.0 uses Vert.x 3.8.1 and is affected: https://github.com/folio-org/okapi/pull/849 ,

RMB up to 29.0.1 uses Vert.x 3.8.1 and is affected: https://github.com/folio-org/raml-module-builder/blob/07c76c4/pom.xml#L69

All modules that use an RMB version up to 29.0.1 are affected.



 Comments   
Comment by Julian Ladisch [ 15/Jun/20 ]

The minimum RMB version for Fameflower was 29.3.0: https://folio-org.atlassian.net/wiki/display/COMMUNITY/Q1+2020+%28Fameflower%29+Release+Notes

Generated at Thu Feb 08 23:20:09 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.