Netty 至 4.1.43 HttpObjectDecoder.java 请求走私漏洞

CVE编号

CVE-2019-20445

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-01-30

漏洞描述

Netty是Netty社区的一款非阻塞I/O客户端-服务器框架，它主要用于开发Java网络应用程序，如协议服务器和客户端等。 Netty 4.1.44之前版本中的HttpObjectDecoder.java文件存在环境问题漏洞。该漏洞源于网络系统或产品的环境因素不合理。

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://access.redhat.com/errata/RHSA-2020:0497
https://access.redhat.com/errata/RHSA-2020:0567
https://access.redhat.com/errata/RHSA-2020:0601
https://access.redhat.com/errata/RHSA-2020:0605
https://access.redhat.com/errata/RHSA-2020:0606
https://access.redhat.com/errata/RHSA-2020:0804
https://access.redhat.com/errata/RHSA-2020:0805
https://access.redhat.com/errata/RHSA-2020:0806
https://access.redhat.com/errata/RHSA-2020:0811
https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
https://github.com/netty/netty/issues/9861
https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6...
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a70533...
https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef...
https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d...
https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f13350...
https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b4...
https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a7...
https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c5349...
https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410...
https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6c...
https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f...
https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e35690...
https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709...
https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb684609842...
https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0...
https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041...
https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf...
https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74...
https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006c...
https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9...
https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c...
https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a3...
https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b...
https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f...
https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd...
https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f9174510...
https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7...
https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08c...
https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96...
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2...
https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb...
https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33...
https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd...
https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2...
https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de3...
https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b...
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
https://lists.fedoraproject.org/archives/list/[email protected]...
https://usn.ubuntu.com/4532-1/
https://www.debian.org/security/2021/dsa-4885

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	netty	netty	*		Up to (excluding) 4.1.44
	运行在以下环境
	系统	debian_10	netty	*		Up to (excluding) 1:4.1.33-1+deb10u2
	运行在以下环境
	系统	debian_8	netty	*		Up to (excluding) 3.9.0.Final-1+deb8u1
	运行在以下环境
	系统	debian_9	netty	*		Up to (excluding) 3.9.9.Final-1+deb9u1
	运行在以下环境
	系统	fedora_33	netty	*		Up to (excluding) 3.1.0-1.fc33
	运行在以下环境
	系统	ubuntu_16.04	netty	*		Up to (excluding) 3.9.0.Final-1ubuntu0.1
	运行在以下环境
	系统	ubuntu_18.04	netty	*		Up to (excluding) 3.9.9.Final-1+deb9u1build0.18.04.1

攻击路径远程
攻击复杂度复杂
权限要求无需权限
影响范围有限影响
EXP成熟度未验证
补丁情况官方补丁
数据保密性无影响
数据完整性无影响
服务器危害无影响
全网数量 100

CWE-ID 漏洞类型 CWE-444 HTTP请求的解释不一致性（HTTP请求私运）

正文

Netty 至 4.1.43 HttpObjectDecoder.java 请求走私漏洞

漏洞描述

解决建议

参考链接

受影响软件情况

相关阅读

IBM Tivoli Federated Identity Manager up to 6.2.2 FP15 跨站脚本攻击

IBM WebSphere MQ Light拒绝服务漏洞

IBM Security Network Protection GSKit信息泄露漏洞

NetApp Data ONTAP信息泄露漏洞

发表评论取消回复

还没有评论，来说两句吧...

目录[+]