Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0601 advisory.

  - netty: HTTP request smuggling (CVE-2019-20444)

  - netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header     (CVE-2019-20445)

  - netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 53caf29b-9180-11ed-acbe-b42e991fc52e advisory.

  - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported     versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to     exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible     data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2019-2684)

  - Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such     as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because     of an incomplete fix for CVE-2019-16869. (CVE-2020-7238)

  - Netty is an open-source, asynchronous event-driven network application framework. The package     `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290.
    When Netty's multipart decoders are used local information disclosure can occur via the local system     temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications     running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like     systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory     between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify     one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the     directory to something that is only readable by the current user. (CVE-2022-24823)

  - The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due     missing to nested depth limitation for collections. (CVE-2022-25857)

  - In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a     check in primitive value deserializers to avoid deep wrapper array nesting, when the     UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1     (CVE-2022-42003)

  - In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in     BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is     vulnerable only with certain customized choices for deserialization. (CVE-2022-42004)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues were discovered in Netty, a Java NIO client/server framework, which could result in HTTP request smuggling, denial of service or information disclosure.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4366 advisory.

  - mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)

  - puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL (CVE-2018-11751)

  - rack-protection: Timing attack in authenticity_token.rb (CVE-2018-1000119)

  - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)

  - Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)

  - rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)

  - rubygem-secure_headers: limited header injection when using dynamic overrides with user input     (CVE-2020-5216)

  - rubygem-secure_headers: directive injection when using dynamic overrides with user input (CVE-2020-5217)

  - rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks     (CVE-2020-5267)

  - netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

  - rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7663)

  - puppet: Arbitrary catalog retrieval (CVE-2020-7942)

  - puppet: puppet server and puppetDB may leak sensitive information via metrics API (CVE-2020-7943)

  - rubygem-rack: directory traversal in Rack::Directory (CVE-2020-8161)

  - rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names     (CVE-2020-8184)

  - jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)

  - jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)

  - jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)

  - jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)

  - hibernate-validator: Improper input validation in the interpolation of constraint error messages     (CVE-2020-10693)

  - jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)

  - jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)

  - jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619)

  - jackson-databind: serialization in weblogic/oracle-aqjms (CVE-2020-14061)

  - jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool     (CVE-2020-14062)

  - jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory (CVE-2020-14195)

  - foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334)

  - Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover     (CVE-2020-14380)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4600-1 advisory.

  - Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a Transfer-     Encoding : chunked line), which leads to HTTP request smuggling. (CVE-2019-16869)

  - HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be     interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold.
    (CVE-2019-20444)

  - HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second     Content-Length header, or by a Transfer-Encoding header. (CVE-2019-20445)

  - Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such     as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because     of an incomplete fix for CVE-2019-16869. (CVE-2020-7238)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in netty, a Java NIO client/server socket framework.

CVE-2019-20444

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an 'invalid fold.'

CVE-2019-20445

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

CVE-2020-7238

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

CVE-2020-11612

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

For Debian 9 stretch, these problems have been fixed in version 1:4.1.7-2+deb9u2.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netty

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0806 advisory.

  - thrift: Endless loop when feed with specific input data (CVE-2019-0205)

  - thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

  - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default     (CVE-2019-10086)

  - xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source     (CVE-2019-12400)

  - wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is     in use (CVE-2019-14887)

  - netty: HTTP request smuggling (CVE-2019-20444)

  - netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header     (CVE-2019-20445)

  - netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0805 advisory.

  - thrift: Endless loop when feed with specific input data (CVE-2019-0205)

  - thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

  - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default     (CVE-2019-10086)

  - xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source     (CVE-2019-12400)

  - wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is     in use (CVE-2019-14887)

  - netty: HTTP request smuggling (CVE-2019-20444)

  - netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header     (CVE-2019-20445)

  - netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0804 advisory.

  - thrift: Endless loop when feed with specific input data (CVE-2019-0205)

  - thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

  - apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default     (CVE-2019-10086)

  - xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source     (CVE-2019-12400)

  - wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is     in use (CVE-2019-14887)

  - netty: HTTP request smuggling (CVE-2019-20444)

  - netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header     (CVE-2019-20445)

  - netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0605 advisory.

  - netty: HTTP request smuggling (CVE-2019-20444)

  - netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header     (CVE-2019-20445)

  - netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities were discovered in Netty, a Java NIO client/server socket framework :

CVE-2014-0193

WebSocket08FrameDecoder allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

CVE-2014-3488

The SslHandler allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2019-16869

Netty mishandles whitespace before the colon in HTTP headers (such as a 'Transfer-Encoding : chunked' line), which leads to HTTP request smuggling.

CVE-2019-20444

HttpObjectDecoder.java allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an 'invalid fold.'

CVE-2019-20445

HttpObjectDecoder.java allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

CVE-2020-7238

Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.

For Debian 8 'Jessie', these problems have been fixed in version 3.9.0.Final-1+deb8u1.

We recommend that you upgrade your netty-3.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in the HTTP server provided by Netty, a Java NIO client/server socket framework :

CVE-2019-20444

HttpObjectDecoder.java allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an 'invalid fold.'

CVE-2019-20445

HttpObjectDecoder.java allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

CVE-2020-7238

Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.

For Debian 8 'Jessie', these problems have been fixed in version 1:3.2.6.Final-2+deb8u2.

We recommend that you upgrade your netty packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
170341	RHEL 6 / 7 / 8 : AMQ Clients 2.6.0 Release (Important) (RHSA-2020:0601)	Nessus	Red Hat Local Security Checks	critical
169936	FreeBSD : cassandra3 -- multiple vulnerabilities (53caf29b-9180-11ed-acbe-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high
148326	Debian DSA-4885-1 : netty - security update	Nessus	Debian Local Security Checks	critical
142452	RHEL 7 : Satellite 6.8 (Important) (RHSA-2020:4366)	Nessus	Red Hat Local Security Checks	critical
141822	Ubuntu 16.04 LTS : Netty vulnerabilities (USN-4600-1)	Nessus	Ubuntu Local Security Checks	critical
140295	Debian DLA-2364-1 : netty security update	Nessus	Debian Local Security Checks	critical
134614	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 8 (RHSA-2020:0806)	Nessus	Red Hat Local Security Checks	critical
134613	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 7 (RHSA-2020:0805)	Nessus	Red Hat Local Security Checks	critical
134612	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 6 (RHSA-2020:0804)	Nessus	Red Hat Local Security Checks	critical
134098	RHEL 6 / 8 : Red Hat JBoss Enterprise Application Platform 7.2 (RHSA-2020:0605)	Nessus	Red Hat Local Security Checks	critical
133814	Debian DLA-2110-1 : netty-3.9 security update	Nessus	Debian Local Security Checks	critical
133813	Debian DLA-2109-1 : netty security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2020-7238

high

Tenable Plugins

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical