{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Critical" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"netty3 security update", "category":"general", "title":"Synopsis" }, { "text":"An update for netty3 is now available for openEuler-22.03-LTS-SP3", "category":"general", "title":"Summary" }, { "text":"Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.\n\nSecurity Fix(es):\n\nNetty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a \"Transfer-Encoding : chunked\" line), which leads to HTTP request smuggling.(CVE-2019-16869)\n\nHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\"(CVE-2019-20444)\n\nHttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.(CVE-2019-20445)", "category":"general", "title":"Description" }, { "text":"An update for netty3 is now available for openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Critical", "category":"general", "title":"Severity" }, { "text":"netty3", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-2103", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103" }, { "summary":"CVE-2019-16869", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-16869&packageName=netty3" }, { "summary":"CVE-2019-20444", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-20444&packageName=netty3" }, { "summary":"CVE-2019-20445", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-20445&packageName=netty3" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16869" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20445" }, { "summary":"openEuler-SA-2024-2103 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-2103.json" } ], "title":"An update for netty3 is now available for openEuler-22.03-LTS-SP3", "tracking":{ "initial_release_date":"2024-09-06T20:08:14+08:00", "revision_history":[ { "date":"2024-09-06T20:08:14+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2024-09-06T20:08:14+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-09-06T20:08:14+08:00", "id":"openEuler-SA-2024-2103", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"openEuler-22.03-LTS-SP3", "name":"openEuler-22.03-LTS-SP3" }, "name":"openEuler-22.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"netty3-3.10.6-8.oe2203sp3.noarch.rpm", "name":"netty3-3.10.6-8.oe2203sp3.noarch.rpm" }, "name":"netty3-3.10.6-8.oe2203sp3.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"netty3-3.10.6-8.oe2203sp3.src.rpm", "name":"netty3-3.10.6-8.oe2203sp3.src.rpm" }, "name":"netty3-3.10.6-8.oe2203sp3.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"netty3-3.10.6-8.oe2203sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "name":"netty3-3.10.6-8.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"netty3-3.10.6-8.oe2203sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src", "name":"netty3-3.10.6-8.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2019-16869", "notes":[ { "text":"Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a Transfer-Encoding : chunked line), which leads to HTTP request smuggling.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ], "details":"netty3 security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2019-16869" }, { "cve":"CVE-2019-20444", "notes":[ { "text":"HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ], "details":"netty3 security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2019-20444" }, { "cve":"CVE-2019-20445", "notes":[ { "text":"HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ], "details":"netty3 security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2103" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:netty3-3.10.6-8.oe2203sp3.src" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2019-20445" } ] }