WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

Several vulnerabilities were discovered in Netty, a Java NIO client/server socket framework :

CVE-2014-0193

WebSocket08FrameDecoder allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

CVE-2014-3488

The SslHandler allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2019-16869

Netty mishandles whitespace before the colon in HTTP headers (such as a 'Transfer-Encoding : chunked' line), which leads to HTTP request smuggling.

CVE-2019-20444

HttpObjectDecoder.java allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an 'invalid fold.'

CVE-2019-20445

HttpObjectDecoder.java allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

CVE-2020-7238

Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.

For Debian 8 'Jessie', these problems have been fixed in version 3.9.0.Final-1+deb8u1.

We recommend that you upgrade your netty-3.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2014:1020 advisory.

    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java     applications based on JBoss Application Server 7.

    A race condition flaw, leading to heap-based buffer overflows, was found in     the mod_status httpd module. A remote attacker able to access a status page     served by mod_status on a server using a threaded Multi-Processing Module     (MPM) could send a specially crafted request that would cause the httpd     child process to crash or, possibly, allow the attacker to execute     arbitrary code with the privileges of the apache user. (CVE-2014-0226)

    A denial of service flaw was found in the way httpd's mod_deflate module     handled request body decompression (configured via the DEFLATE input     filter). A remote attacker able to send a request whose body would be     decompressed could use this flaw to consume an excessive amount of system     memory and CPU on the target system. (CVE-2014-0118)

    A denial of service flaw was found in the way httpd's mod_cgid module     executed CGI scripts that did not read data from the standard input.
    A remote attacker could submit a specially crafted request that would cause     the httpd child process to hang indefinitely. (CVE-2014-0231)

    A flaw was found in the WebSocket08FrameDecoder implementation that could     allow a remote attacker to trigger an Out Of Memory Exception by issuing a     series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on     the server configuration, this could lead to a denial of service.
    (CVE-2014-0193)

    It was found that the isCallerInRole() method of the SimpleSecurityManager     did not correctly check caller roles. A remote, authenticated attacker     could use this flaw to circumvent the caller check in applications that use     black list access control based on caller roles. (CVE-2014-3472)

    Red Hat would like to thank James Roper of Typesafe for reporting     CVE-2014-0193, and CA Technologies for reporting CVE-2014-3472.

    This release of JBoss Enterprise Application Platform also includes bug     fixes and enhancements. Documentation for these changes will be available     shortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes,     linked to in the References.

    All users who require JBoss Enterprise Application Platform 6.3.0 on Red     Hat Enterprise Linux 6 should install these new packages. The JBoss server     process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated Red Hat JBoss Enterprise Application Platform 6.3.0 packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
(CVE-2014-0118)

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)

A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service. (CVE-2014-0193)

It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles. (CVE-2014-3472)

Red Hat would like to thank James Roper of Typesafe for reporting CVE-2014-0193, and CA Technologies for reporting CVE-2014-3472.

This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. Documentation for these changes will be available shortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes, linked to in the References.

All users who require JBoss Enterprise Application Platform 6.3.0 on Red Hat Enterprise Linux 5 should install these new packages. The JBoss server process must be restarted for the update to take effect.

ID	Name	Product	Family	Severity
133814	Debian DLA-2110-1 : netty-3.9 security update	Nessus	Debian Local Security Checks	critical
77079	RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.3.0 update (Important) (RHSA-2014:1020)	Nessus	Red Hat Local Security Checks	medium
77078	RHEL 5 : JBoss EAP (RHSA-2014:1019)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2014-0193

medium

Tenable Plugins

critical

medium

medium