Vulnerable Libraries - netty-all-4.0.13.Final.jar, netty-all-4.1.9.Final.jar, netty-codec-http2-4.1.32.Final.jar, netty-codec-http2-4.1.8.Final.jar, netty-codec-http2-4.1.48.Final.jar, netty-codec-http2-4.1.29.Final.jar, netty-codec-http2-4.1.12.Final.jar, netty-codec-http2-4.1.51.Final.jar, netty-codec-http2-4.1.53.Final.jar, netty-codec-http2-4.1.52.Final.jar, netty-codec-http2-4.1.15.Final.jar, netty-codec-http2-4.1.43.Final.jar
netty-all-4.0.13.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/jms/jms.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.13.Final/75de08aeaef1712d88b011d81900937481fc3e7/netty-all-4.0.13.Final.jar
Dependency Hierarchy:
- hornetq-jms-server-2.4.7.Final.jar (Root Library)
- hornetq-server-2.4.7.Final.jar
- ❌ netty-all-4.0.13.Final.jar (Vulnerable Library)
netty-all-4.1.9.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/java-concurrent.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/io.netty/netty-all/4.1.9.Final/97860965d6a0a6b98e7f569f3f966727b8db75/netty-all-4.1.9.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.1.9.Final/97860965d6a0a6b98e7f569f3f966727b8db75/netty-all-4.1.9.Final.jar
Dependency Hierarchy:
- ❌ netty-all-4.1.9.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.32.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/aws-java-sdk-2.2/aws-java-sdk-2.2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.32.Final/d14eb053a1f96d3330ec48e77d489118d547557a/netty-codec-http2-4.1.32.Final.jar
Dependency Hierarchy:
- kinesis-2.2.0.jar (Root Library)
- netty-nio-client-2.2.0.jar
- ❌ netty-codec-http2-4.1.32.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.8.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar
Dependency Hierarchy:
- vertx-web-3.4.0.jar (Root Library)
- vertx-core-3.4.0.jar
- ❌ netty-codec-http2-4.1.8.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.48.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: https://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/vertx-redis-client-3.9/vertx-redis-client-3.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar
Dependency Hierarchy:
- micronaut-http-server-netty-2.0.0.jar (Root Library)
- micronaut-http-netty-2.0.0.jar
- ❌ netty-codec-http2-4.1.48.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.29.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/netty-4.1/netty-4.1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.29.Final/e573656f141a54f808ba482213a3abca2f2c6e6d/netty-codec-http2-4.1.29.Final.jar
Dependency Hierarchy:
- reactor-netty-0.8.0.RELEASE.jar (Root Library)
- ❌ netty-codec-http2-4.1.29.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.12.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.12.Final/5373bd1a7b61f4620a3c421ee999f6142d8aa06d/netty-codec-http2-4.1.12.Final.jar
Dependency Hierarchy:
- grpc-netty-1.5.0.jar (Root Library)
- ❌ netty-codec-http2-4.1.12.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.51.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: https://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.51.Final/1d9d8d24fad44ae249b941e9ef61169b5b457d39/netty-codec-http2-4.1.51.Final.jar
Dependency Hierarchy:
- finatra-http_2.11-21.2.0.jar (Root Library)
- finagle-http_2.11-21.2.0.jar
- finagle-http2_2.11-21.2.0.jar
- ❌ netty-codec-http2-4.1.51.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.53.Final.jar
Library home page: https://netty.io/
Path to dependency file: /dd-smoke-tests/spring-boot-2.4-webflux/spring-boot-2.4-webflux.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.53.Final/97612c9c5b07cd7c7822542fa373b3263ccb8da0/netty-codec-http2-4.1.53.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.53.Final/97612c9c5b07cd7c7822542fa373b3263ccb8da0/netty-codec-http2-4.1.53.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.53.Final/97612c9c5b07cd7c7822542fa373b3263ccb8da0/netty-codec-http2-4.1.53.Final.jar
Dependency Hierarchy:
- spring-boot-starter-reactor-netty-2.4.0.jar (Root Library)
- reactor-netty-http-1.0.1.jar
- ❌ netty-codec-http2-4.1.53.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.52.Final.jar
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.52.Final/1e06a41e2b67cd6f91bf97935f4729c843ac1a57/netty-codec-http2-4.1.52.Final.jar
Dependency Hierarchy:
- grpc-netty-1.41.0.jar (Root Library)
- ❌ netty-codec-http2-4.1.52.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.15.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/vertx-rx-3.5/vertx-rx-3.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.15.Final/4fd3b955b53ee80ef8d872dcdb53aea9f8f47a77/netty-codec-http2-4.1.15.Final.jar
Dependency Hierarchy:
- vertx-rx-java2-3.5.0.jar (Root Library)
- vertx-core-3.5.0.jar
- ❌ netty-codec-http2-4.1.15.Final.jar (Vulnerable Library)
netty-codec-http2-4.1.43.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Library home page: https://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.43.Final/d859a766119d7845e4d10e64a1f846d3d26d5ff2/netty-codec-http2-4.1.43.Final.jar
Dependency Hierarchy:
- finatra-http_2.11-19.12.0.jar (Root Library)
- finagle-http_2.11-19.12.0.jar
- finagle-http2_2.11-19.12.0.jar
- ❌ netty-codec-http2-4.1.43.Final.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Suggested Fix
Type: Upgrade version
Origin: GHSA-f256-j965-7f32
Release Date: 2021-03-30
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (software.amazon.awssdk:kinesis): 2.16.36
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.vertx:vertx-web): 3.5.0
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.micronaut:micronaut-http-server-netty): 2.5.4
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.projectreactor.netty:reactor-netty): 0.9.19.RELEASE
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.39.0
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-reactor-netty): 2.4.5
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.42.0
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.vertx:vertx-rx-java2): 3.5.4
CVE-2021-21409 - Medium Severity Vulnerability
netty-all-4.0.13.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/jms/jms.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.0.13.Final/75de08aeaef1712d88b011d81900937481fc3e7/netty-all-4.0.13.Final.jar
Dependency Hierarchy:
netty-all-4.1.9.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/java-concurrent.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/io.netty/netty-all/4.1.9.Final/97860965d6a0a6b98e7f569f3f966727b8db75/netty-all-4.1.9.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.1.9.Final/97860965d6a0a6b98e7f569f3f966727b8db75/netty-all-4.1.9.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.32.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/aws-java-sdk-2.2/aws-java-sdk-2.2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.32.Final/d14eb053a1f96d3330ec48e77d489118d547557a/netty-codec-http2-4.1.32.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.8.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.48.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/vertx-redis-client-3.9/vertx-redis-client-3.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.48.Final/f7a0e40d0eea9a60c05f705a128473f08a3de1dc/netty-codec-http2-4.1.48.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.29.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/netty-4.1/netty-4.1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.29.Final/e573656f141a54f808ba482213a3abca2f2c6e6d/netty-codec-http2-4.1.29.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.12.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.12.Final/5373bd1a7b61f4620a3c421ee999f6142d8aa06d/netty-codec-http2-4.1.12.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.51.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.51.Final/1d9d8d24fad44ae249b941e9ef61169b5b457d39/netty-codec-http2-4.1.51.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.53.Final.jar
Library home page: https://netty.io/
Path to dependency file: /dd-smoke-tests/spring-boot-2.4-webflux/spring-boot-2.4-webflux.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.53.Final/97612c9c5b07cd7c7822542fa373b3263ccb8da0/netty-codec-http2-4.1.53.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.53.Final/97612c9c5b07cd7c7822542fa373b3263ccb8da0/netty-codec-http2-4.1.53.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.53.Final/97612c9c5b07cd7c7822542fa373b3263ccb8da0/netty-codec-http2-4.1.53.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.52.Final.jar
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.52.Final/1e06a41e2b67cd6f91bf97935f4729c843ac1a57/netty-codec-http2-4.1.52.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.15.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/vertx-rx-3.5/vertx-rx-3.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.15.Final/4fd3b955b53ee80ef8d872dcdb53aea9f8f47a77/netty-codec-http2-4.1.15.Final.jar
Dependency Hierarchy:
netty-codec-http2-4.1.43.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.43.Final/d859a766119d7845e4d10e64a1f846d3d26d5ff2/netty-codec-http2-4.1.43.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Publish Date: 2021-03-30
URL: CVE-2021-21409
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-f256-j965-7f32
Release Date: 2021-03-30
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (software.amazon.awssdk:kinesis): 2.16.36
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.vertx:vertx-web): 3.5.0
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.micronaut:micronaut-http-server-netty): 2.5.4
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.projectreactor.netty:reactor-netty): 0.9.19.RELEASE
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.39.0
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-reactor-netty): 2.4.5
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.42.0
Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final
Direct dependency fix Resolution (io.vertx:vertx-rx-java2): 3.5.4
⛑️ Automatic Remediation is available for this issue