CVE-2019-16869

Vulnerability

CVE-2019-16869 is an HTTP request smuggling vulnerability in Netty, the high-performance network application framework for Java. The issue originates from how Netty parses HTTP headers: it does not properly handle whitespace characters that appear before the colon in a header line. For example, a header like "Transfer-Encoding : chunked" (with a space before the colon) is parsed differently than the standard "Transfer-Encoding: chunked", allowing an attacker to manipulate how request boundaries are interpreted [1].

Exploitation

An attacker can exploit this by crafting a malicious HTTP request that includes a header with whitespace before the colon, such as a malformed "Transfer-Encoding" header. This can cause the Netty-based HTTP server to misinterpret where one request ends and the next begins. The attack does not require authentication if the target system processes HTTP requests from untrusted sources. The attacker only needs the ability to send HTTP requests to a vulnerable server, making this an easily reachable issue from the network [1].

Impact

Successful exploitation leads to HTTP request smuggling, where an attacker can cause the server to treat a single crafted request as multiple requests, or vice versa. This can be used to bypass security controls, poison web caches, hijack user sessions, or trigger other vulnerabilities by injecting malicious content into what the server perceives as subsequent requests. The impact is frequently rated as important because it can be leveraged for further attacks [1], [2], [3], [4].

Mitigation

The vulnerability is fixed in Netty version 4.1.42.Final and later. Users are strongly advised to update to the fixed version. Red Hat issued several advisories (RHSA-2019:3892, RHSA-2020:0159, RHSA-2020:0160, RHSA-2020:0161) to address this issue in Red Hat JBoss Enterprise Application Platform (EAP) versions 7.2.6 and later [2], [3], [4]. No workarounds are known; updating to the patched Netty version is the recommended mitigation.