低危 Netty 环境问题漏洞

CVE编号

CVE-2021-21409

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-03-31
漏洞描述
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。
Netty 存在环境问题漏洞,该漏洞导致请求走私。
解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
参考链接
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904...
https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e30...
https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb5...
https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fd...
https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815ca...
https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a970...
https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a970...
https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c4...
https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afea...
https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d...
https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca86...
https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c6...
https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424...
https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc...
https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc...
https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc...
https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6...
https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837fea...
https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f8...
https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f8...
https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b...
https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031de...
https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d4603...
https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d4603...
https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a003118...
https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e...
https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b...
https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b...
https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46...
https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46...
https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d629374...
https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d629374...
https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d63...
https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2...
https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b5282...
https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697...
https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb77922...
https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f...
https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245d...
https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b...
https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae...
https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d...
https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d...
https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80...
https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb...
https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d...
https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9...
https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb...
https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f0...
https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b6...
https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f2397...
https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4f...
https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04...
https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c...
https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d...
https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c8459...
https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e47...
https://security.netapp.com/advisory/ntap-20210604-0003/
https://www.debian.org/security/2021/dsa-4885
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 netty netty * Up to
(excluding)
4.1.61
运行在以下环境
系统 debian_10 netty * Up to
(excluding)
4.1.33-1+deb10u2
运行在以下环境
系统 debian_11 netty * Up to
(excluding)
4.1.48-4
运行在以下环境
系统 debian_12 netty * Up to
(excluding)
4.1.48-4
运行在以下环境
系统 kylinos_aarch64_V10SP2 netty * Up to
(excluding)
4.1.13-11.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP2 netty * Up to
(excluding)
4.1.13-11.ky10
运行在以下环境
系统 opensuse_Leap_15.3 netty * Up to
(excluding)
4.1.75-150200.4.9.1
运行在以下环境
系统 rocky_linux_8 libdb * Up to
(excluding)
5.3.28-42.el8_4
运行在以下环境
系统 ubuntu_22.04 netty * Up to
(excluding)
4.1.48-4+deb11u1build0.22.04.1
运行在以下环境
系统 ubuntu_22.10 netty * Up to
(excluding)
4.1.48-5ubuntu0.1
阿里云评分
3.8
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    N/A
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    传输被破坏
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-444 HTTP请求的解释不一致性(HTTP请求私运)
阿里云安全产品覆盖情况