1162190 – (CVE-2019-20445) VUL-1: CVE-2019-20445: netty: HttpObjectDecoder.java allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header

Bug 1162190 (CVE-2019-20445) - VUL-1: CVE-2019-20445: netty: HttpObjectDecoder.java allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header

Summary: VUL-1: CVE-2019-20445: netty: HttpObjectDecoder.java allows a Content-Length ...

Status:	RESOLVED FIXED

Alias:	CVE-2019-20445

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/252137/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-20445:5.3:(AV...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-01-30 08:57 UTC by Wolfgang Frisch
Modified:	2024-05-22 14:29 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2020-01-30 08:57:12 UTC

CVE-2019-20445

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to
be accompanied by a second Content-Length header, or by a Transfer-Encoding
header.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445
https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
https://github.com/netty/netty/issues/9861
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Comment 1 Silvio Moioli 2020-03-09 10:00:53 UTC

Side note: from a strict SUSE Manager product perspective, this vulnerability does not affect us as we do not make use of any HTTP capability of netty (we use it exclusively for async I/O).

Comment 2 Julio González Gil 2020-03-09 13:27:04 UTC

Can this be assigned to the SUSE Manager team (galaxy-bugs@suse.de, actual maintainers) rather than me directly?

Worst case, assign it to Silvio.

Comment 3 Marcus Meissner 2020-04-15 15:06:17 UTC

I marked it as "ignore" now, but feel free to still fix if time permits.

Comment 4 Thomas Florio 2022-03-11 14:46:43 UTC

I guess this issue can be resolved. All SUSE Manager versions (HEAD, 4.2, 4.1) are using netty 4.1.44, which, if I understood correctly, is not affected by this vulnerability.

Comment 5 Michael Calmer 2022-11-19 11:40:24 UTC

back to security team

Comment 6 Andrea Mattiazzo 2024-05-22 14:29:22 UTC

All done, closing.