低危 Netty HttpObjectDecoder.java 环境问题漏洞

CVE编号

CVE-2019-20444

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-01-30
漏洞描述
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。
Netty 4.1.44之前版本中的HttpObjectDecoder.java文件存在环境问题漏洞。该漏洞源于网络系统或产品的环境因素不合理。

解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://access.redhat.com/errata/RHSA-2020:0497
https://access.redhat.com/errata/RHSA-2020:0567
https://access.redhat.com/errata/RHSA-2020:0601
https://access.redhat.com/errata/RHSA-2020:0605
https://access.redhat.com/errata/RHSA-2020:0606
https://access.redhat.com/errata/RHSA-2020:0804
https://access.redhat.com/errata/RHSA-2020:0805
https://access.redhat.com/errata/RHSA-2020:0806
https://access.redhat.com/errata/RHSA-2020:0811
https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
https://github.com/netty/netty/issues/9866
https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f...
https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d40...
https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06...
https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1...
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a70533...
https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef...
https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d...
https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f13350...
https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b4...
https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69...
https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a7...
https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0...
https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee34...
https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410...
https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f...
https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e35690...
https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709...
https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb684609842...
https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0...
https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf...
https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74...
https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff3...
https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae87...
https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b01209...
https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff...
https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006c...
https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9...
https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c...
https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a3...
https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b...
https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f...
https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd...
https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c08...
https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7...
https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd18...
https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea...
https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96...
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2...
https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb...
https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33...
https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792...
https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5...
https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd...
https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b3...
https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01...
https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2...
https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de3...
https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b...
https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://usn.ubuntu.com/4532-1/
https://www.debian.org/security/2021/dsa-4885
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 netty netty * Up to
(excluding)
4.1.44
运行在以下环境
系统 debian_10 netty * Up to
(excluding)
4.1.33-1+deb10u2
运行在以下环境
系统 debian_11 netty * Up to
(excluding)
4.1.45-1
运行在以下环境
系统 debian_12 netty * Up to
(excluding)
4.1.45-1
运行在以下环境
系统 fedora_33 jctools * Up to
(excluding)
3.1.0-1.fc33
运行在以下环境
系统 ubuntu_18.04 netty * Up to
(excluding)
3.9.9.Final-1+deb9u1build0.18.04.1
阿里云评分
3.1
  • 攻击路径
    远程
  • 攻击复杂度
    复杂
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    100
CWE-ID 漏洞类型
CWE-444 HTTP请求的解释不一致性(HTTP请求私运)
阿里云安全产品覆盖情况