A fix for this issue was committed to the `io.netty` Git repository on October 1st, 2018. Additionally, a new release of Netty is being prepared which will fix this vulnerability in `io.netty:netty-codec-http` as well as many other issues. Stay tuned for details on this release. If you'd like to help in testing the new version of Netty, please see the [ getting started guide ](https://github.com/kr/netty/blob/master/RELEASES.md#testing-new-releases) . !!! IMPORTANT !!! If you are using the `Netty 4.x series https://github.com/kr/netty/releases>`_, please upgrade to the latest version. The new version of Netty fixes many other issues as well as the issue described above. If you are using the `Netty 3.x series https://github.com/kr/netty/releases>`_, please upgrade to the latest version. Stay tuned for details on the release of Netty 3.15.1. !!!

Summary of vulnerability

IO.Netty is a Java networking library which is used by many websites to create HTTP endpoints. An issue was found that can allow an attacker to craft a specially-crafted request which would execute arbitrary code on the server when processed.

What is a HTTP Header?

A HTTP header is a name/value pair that is sent, usually in the headers of the HTTP response, by a Web server to the client.
The header contains metadata about the request. The HTTP specification defines several standardized headers which must be followed, but there are also many custom headers defined within specific applications.
A header is part of an HTTP request and can appear multiple times in a request message.

Timeline

Published on: 05/06/2022 12:15:00 UTC
Last modified on: 07/25/2022 18:22:00 UTC

References