All Vulnerability Reports

CVE-2019-16869: Reactor Netty Consumes a Vulnerable Version of Netty

Severity

High

Vendor

Pivotal

Description

Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty (versions prior to 4.1.42), which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

• Reactor Netty
  • 0.8 versions prior to 0.8.13.RELEASE
  • 0.9 versions prior to 0.9.1.RELEASE

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

• Reactor Netty
  • v0.9.1.RELEASE
  • v0.8.13.RELEASE

References

• https://pivotal.io/security/cve-2019-16869
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16869

History

2019-10-28: Initial vulnerability report published.