Bugzilla – Bug 1206379
VUL-0: CVE-2022-41915: netty3,netty: HTTP Response splitting from assigning header value iterator
Last modified: 2024-05-03 09:24:16 UTC
CVE-2022-41915 Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. Upstream fix: https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41915 https://www.cve.org/CVERecord?id=CVE-2022-41915 https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
Affected: - SUSE:SLE-15-SP2:Update/netty - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/netty - SUSE:SLE-15-SP3:Update:Products:Manager42:Update/netty - SUSE:SLE-15-SP4:Update:Products:Manager43:Update/netty - openSUSE:Backports:SLE-15-SP3:Update/netty
SUSE-SU-2023:2096-1: An update that solves three vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1199338, 1206360, 1206379 CVE References: CVE-2022-24823, CVE-2022-41881, CVE-2022-41915 Jira References: SLE-23217 Sources used: openSUSE Leap 15.4 (src): netty-tcnative-2.0.59-150200.3.10.1, netty-4.1.90-150200.4.14.1 Development Tools Module 15-SP4 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Real Time 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Enterprise Storage 7.1 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Enterprise Storage 7 (src): netty-tcnative-2.0.59-150200.3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2096-2: An update that solves three vulnerabilities and contains one feature can now be installed. Category: security (important) Bug References: 1199338, 1206360, 1206379 CVE References: CVE-2022-24823, CVE-2022-41881, CVE-2022-41915 Jira References: SLE-23217 Sources used: openSUSE Leap 15.5 (src): netty-tcnative-2.0.59-150200.3.10.1, netty-4.1.90-150200.4.14.1 Development Tools Module 15-SP5 (src): netty-tcnative-2.0.59-150200.3.10.1 SUSE Package Hub 15 15-SP5 (src): netty-4.1.90-150200.4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed. Time to close it.
done, closing