CVE-2021-21409 Overview
CVE-2021-21409 is an HTTP Request Smuggling vulnerability in Netty, an open-source, asynchronous event-driven network application framework used for developing high-performance protocol servers and clients. The vulnerability exists in the io.netty:netty-codec-http2 component where the content-length header is not correctly validated when a request uses a single Http2HeaderFrame with the endStream flag set to true.
This flaw can lead to request smuggling attacks when the HTTP/2 request is proxied to a remote peer and translated to HTTP/1.1. The vulnerability is a follow-up to GHSA-wm47-8v5p-wjpj/CVE-2021-21295, which missed addressing this specific edge case.
Critical Impact
Attackers can bypass security controls, poison web caches, and hijack user sessions by exploiting inconsistent request interpretation between front-end and back-end servers in proxy configurations.
Affected Products
- Netty versions prior to 4.1.61.Final
- Debian Linux 10.0
- NetApp OnCommand API Services
- NetApp OnCommand Workflow Automation
- Oracle Banking Corporate Lending Process Management (14.2.0, 14.3.0, 14.5.0)
- Oracle Banking Credit Facilities Process Management (14.2.0, 14.3.0, 14.5.0)
- Oracle Banking Trade Finance Process Management (14.2.0, 14.3.0, 14.5.0)
- Oracle Coherence (12.2.1.4.0, 14.1.1.0.0)
- Oracle Communications BRM - Elastic Charging Engine (12.0.0.3)
- Oracle Communications Cloud Native Core Console (1.7.0)
- Oracle Communications Cloud Native Core Policy (1.14.0)
- Oracle Communications Design Studio (7.4.2.0.0)
- Oracle Communications Messaging Server (8.1)
- Oracle Helidon (1.4.10, 2.4.0)
- Oracle JD Edwards EnterpriseOne Tools
- Oracle NoSQL Database
- Oracle Primavera Gateway
- Quarkus
Discovery Timeline
- March 30, 2021 - CVE-2021-21409 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-21409
Vulnerability Analysis
This HTTP Request Smuggling vulnerability (CWE-444) occurs due to improper validation of the content-length header in HTTP/2 requests processed by Netty's codec. When an HTTP/2 request consists of a single Http2HeaderFrame with endStream set to true, the framework fails to properly validate that the content-length header accurately represents the request body size.
Request smuggling attacks exploit inconsistencies in how different servers parse and interpret HTTP requests. In this case, when a vulnerable Netty-based proxy translates an HTTP/2 request to HTTP/1.1 for a backend server, the discrepancy in content-length handling can allow an attacker to craft ambiguous requests. These requests may be interpreted differently by the front-end proxy and the back-end server, enabling the attacker to "smuggle" a second request within the first.
The vulnerability's impact includes the ability to bypass security controls, hijack user sessions, poison web caches, and perform unauthorized actions by manipulating request boundaries. This is particularly dangerous in environments where Netty serves as an HTTP/2-to-HTTP/1.1 proxy or gateway.
Root Cause
The root cause lies in the DefaultHttp2ConnectionDecoder.java file within the netty-codec-http2 module. The decoder did not properly track whether headers had already been received for a stream when processing HEADERS frames. This allowed attackers to manipulate the content-length validation logic by using a specific frame configuration.
The original fix for CVE-2021-21295 addressed similar content-length validation issues but missed the edge case where requests use only a single Http2HeaderFrame with endStream set to true. This oversight allowed the request smuggling vector to remain exploitable.
Attack Vector
The attack requires network access to a vulnerable Netty-based application acting as an HTTP/2 proxy. An attacker crafts a malicious HTTP/2 request with a manipulated content-length header and specific frame structure. When this request is proxied and translated to HTTP/1.1, the inconsistent interpretation between the front-end and back-end servers allows a second, smuggled request to be processed.
The attack can be executed without authentication or user interaction, though it requires specific network conditions where the vulnerable Netty instance proxies requests to a backend HTTP/1.1 server.
short weight, boolean exclusive, int padding, boolean endOfStream) throws Http2Exception {
Http2Stream stream = connection.stream(streamId);
boolean allowHalfClosedRemote = false;
+ boolean isTrailers = false;
if (stream == null && !connection.streamMayHaveExisted(streamId)) {
stream = connection.remote().createStream(streamId, endOfStream);
// Allow the state to be HALF_CLOSE_REMOTE if we're creating it in that state.
allowHalfClosedRemote = stream.state() == HALF_CLOSED_REMOTE;
+ } else if (stream != null) {
+ isTrailers = stream.isHeadersReceived();
}
if (shouldIgnoreHeadersOrDataFrame(ctx, streamId, stream, "HEADERS")) {
Source: GitHub Netty Commit
The patch introduces an isTrailers boolean variable that tracks whether headers have already been received for a stream by calling stream.isHeadersReceived(). This additional state tracking ensures proper validation of content-length headers in all request scenarios.
Detection Methods for CVE-2021-21409
Indicators of Compromise
- Unusual discrepancies between front-end access logs and back-end access logs indicating request boundary manipulation
- HTTP responses being served to incorrect clients or containing unexpected cached content
- Unexpected backend server behavior where single client connections appear to generate multiple unrelated requests
- Log entries showing malformed or duplicated HTTP headers in translated HTTP/1.1 requests
Detection Strategies
- Monitor HTTP/2-to-HTTP/1.1 proxy conversion points for anomalous content-length header values that don't match actual body sizes
- Implement deep packet inspection rules to detect HTTP request smuggling patterns in translated requests
- Audit application dependencies using software composition analysis tools to identify vulnerable Netty versions (io.netty:netty-codec-http2 prior to 4.1.61.Final)
- Deploy web application firewalls configured to detect and block request smuggling attack signatures
Monitoring Recommendations
- Enable detailed logging on HTTP/2 proxies to capture frame-level information including endStream flags and header contents
- Implement real-time alerting for cache poisoning indicators such as unexpected cache hit/miss ratios
- Monitor for session anomalies where authenticated sessions appear to receive responses intended for other users
- Track Netty library version usage across all deployed applications and containerized workloads
How to Mitigate CVE-2021-21409
Immediate Actions Required
- Upgrade Netty to version 4.1.61.Final or later across all affected applications
- Audit all Java applications using Maven or Gradle to identify transitive dependencies on vulnerable io.netty:netty-codec-http2 versions
- Review Oracle, NetApp, and Debian security advisories for specific patch guidance for affected downstream products
- Temporarily disable HTTP/2-to-HTTP/1.1 proxy functionality if immediate patching is not possible
Patch Information
The vulnerability was fixed in Netty version 4.1.61.Final. The fix is available in the official GitHub commit.
For downstream products, consult the following vendor advisories:
- Oracle CPU July 2021
- Oracle CPU October 2021
- Oracle CPU January 2022
- Oracle CPU April 2022
- Debian Security Advisory DSA-4885
- NetApp Security Advisory ntap-20210604-0003
Workarounds
- Configure web application firewalls to normalize and validate content-length headers on all HTTP/2 traffic before proxy translation
- Implement strict request validation at backend servers to reject requests with mismatched content-length and body sizes
- Use end-to-end HTTP/2 where possible to avoid HTTP/1.1 translation vulnerabilities
- Deploy network segmentation to limit exposure of vulnerable proxy components
# Maven dependency update example
# Update pom.xml to use patched Netty version
mvn versions:use-latest-versions -Dincludes=io.netty:netty-codec-http2
# Gradle dependency update
# In build.gradle, enforce minimum version:
# implementation 'io.netty:netty-codec-http2:4.1.61.Final'
# Verify Netty version in dependencies
mvn dependency:tree | grep netty
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
