Netty Request Smuggling Vulnerability in HTTP/2 Content-Length Header Validation

A request smuggling vulnerability has been identified in Netty versions prior to 4.1.61.Final, specifically in the 'io.netty:netty-codec-http2' component. The issue arises because the content-length header is not properly validated when a single Http2HeaderFrame is used with the endStream flag set to true. This lack of validation can lead to request smuggling when the HTTP/2 request is proxied to a remote peer and converted to HTTP/1.1. The vulnerability is particularly concerning because it follows a related issue (CVE-2021-21295) that was not fully addressed. Exploitation of this vulnerability allows an attacker to smuggle requests by manipulating the content-length header, taking advantage of the improper handling of HTTP/2 streams during the conversion to HTTP/1.1.

Impact

Exploitation of this vulnerability can lead to HTTP request smuggling, where an attacker manipulates the content-length header to create a discrepancy between the expected and actual length of the request body. This can result in one request being smuggled inside another, potentially bypassing security controls or causing unintended actions on the server.

Reproduction

To reproduce this vulnerability, send an HTTP/2 request that includes a content-length header. Ensure that the request is proxied to a remote server using HTTP/1.1, where the content-length header will be interpreted correctly. This can be done using a proxy server that converts HTTP/2 to HTTP/1.1, such as Netflix Zuul.

Remediation

Upgrade Netty to version 4.1.61.Final or later. This vulnerability has been fixed in the 4.1.61.Final release. For users of Apache Flink, this vulnerability can be addressed by upgrading to Flink versions 1.11.3, 1.12.2, or 1.13.0, all of which include the patched version of Netty.