Vulnerability Name:

CVE-2019-20445 (CCN-175486)

Assigned:2019-12-09
Published:2019-12-09
Updated:2021-09-14
Summary:HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CVSS v3 Severity:9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-444
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2019-20445

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0497

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0567

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0601

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0605

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0606

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0804

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0805

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0806

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0811

Source: XF
Type: UNKNOWN
netty-cve201920445-weak-security(175486)

Source: MISC
Type: Patch, Release Notes, Third Party Advisory
https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final

Source: CCN
Type: Netty GIT Repository
Non-proper handling of Content-Length and Transfer-Encoding: chunked headers #9861

Source: MISC
Type: Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/netty/netty/issues/9861

Source: MLIST
Type: Mailing List, Third Party Advisory
[flume-issues] 20200415 [jira] [Updated] (FLUME-3363) CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200209 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[geode-dev] 20200408 Proposal to bring GEODE-7969 to support/1.12

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-issues] 20210824 [jira] [Created] (SPARK-36572) Upgrade version of io.netty to 4.1.44.Final to solve CVE-2019-20444 and CVE-2019-20445

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200203 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-reviews] 20200310 [GitHub] [spark] dongjoon-hyun commented on issue #27870: [SPARK-31095][BUILD][2.4] Upgrade netty-all to 4.1.47.Final

Source: MLIST
Type: Mailing List, Third Party Advisory
[cassandra-commits] 20200604 [jira] [Created] (CASSANDRA-15856) Security vulnerabilities with dependency jars of Cassandra 3.11.6

Source: MLIST
Type: Mailing List, Third Party Advisory
[flume-issues] 20200410 [jira] [Created] (FLUME-3363) CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200204 [jira] [Resolved] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200209 [jira] [Commented] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20200131 [GitHub] [druid] zachjsh opened a new pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210121 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200203 [jira] [Assigned] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20200203 Re: [VOTE] Apache ZooKeeper release 3.6.0 candidate 1

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210120 [GitHub] [pulsar] fmiguelez opened a new issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444

Source: MLIST
Type: Mailing List, Third Party Advisory
[cassandra-commits] 20200218 [jira] [Created] (CASSANDRA-15590) Upgrade io.netty_netty-all dependency to fix security vulnerabilities

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[geode-dev] 20200408 Re: Proposal to bring GEODE-7969 to support/1.12

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200203 [jira] [Updated] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20200203 [jira] [Created] (ZOOKEEPER-3716) upgrade netty 4.1.42 to address CVE-2019-20444 CVE-2019-20445

Source: MLIST
Type: Mailing List, Third Party Advisory
[flink-issues] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink

Source: MLIST
Type: Mailing List, Third Party Advisory
[spark-issues] 20200309 [jira] [Created] (SPARK-31095) Upgrade netty version to fix security vulnerabilities

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[flume-issues] 20200422 [jira] [Commented] (FLUME-3363) CVE-2019-20445

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list

Source: MLIST
Type: Mailing List, Third Party Advisory
[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210122 [GitHub] [pulsar] hpvd commented on issue #9249: Upgrade Netty dependency in broker to solve vulnerabilities: CVE-2019-16869, CVE-2020-11612, CVE-2019-20445, CVE-2019-20444

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20200131 [GitHub] [druid] ccaominh commented on a change in pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444

Source: MLIST
Type: Mailing List, Third Party Advisory
[flink-dev] 20200910 [jira] [Created] (FLINK-19195) question on security vulnerabilities in flink

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20200131 [GitHub] [druid] gianm merged pull request #9300: Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200219 [SECURITY] [DLA 2109-1] netty security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200904 [SECURITY] [DLA 2364-1] netty security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200904 [SECURITY] [DLA 2365-1] netty-3.9 security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-66b5f85ccc

Source: UBUNTU
Type: Third Party Advisory
USN-4532-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4885

Source: CCN
Type: IBM Security Bulletin 5225085 (Operations Analytics Predictive Insights)
Multiple vulnerabilities in netty affect IBM Operations Analytics Predictive Insights (CVE-2019-20445, CVE-2019-20444)

Source: CCN
Type: IBM Security Bulletin 5692628 (Rational Test Virtualization Server)
Rational Integration Tester HTTP/TCP Proxy component in Rational Test Virtualization Server and Rational Test Workbench affected by Netty vulnerabilities (CVE-2020-7238, CVE-2019-16869, CVE-2019-20445, CVE-2019-20444)

Source: CCN
Type: IBM Security Bulletin 6113458 (Tivoli Netcool/OMNIbus)
Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2019-20445, CVE-2019-20444)

Source: CCN
Type: IBM Security Bulletin 6214358 (InfoSphere Guardium Activity Monitor)
IBM Security Guardium Insights is affected by a Netty vulnerability

Source: CCN
Type: IBM Security Bulletin 6216874 (Spectrum Scale)
Multiple vulnerabilities in netty affect IBM Spectrum Scale Transparent Cloud Tiering (CVE-2019-20445, CVE-2019-20444)

Source: CCN
Type: IBM Security Bulletin 6320057 (Security Guardium Insights)
IBM Security Guardium Insights is affected by Components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6338533 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - Netty (CVE-2019-20445, CVE-2019-20444)

Source: CCN
Type: IBM Security Bulletin 6403832 (MaaS360 Mobile Enterprise Gateway)
IBM MaaS360 Mobile Enterprise Gateway has security vulnerabilities (CVE-2019-2044, CVE-2019-2045)

Source: CCN
Type: IBM Security Bulletin 6491163 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6495959 (Sterling B2B Integrator)
Netty Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6520510 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6607599 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6830983 (Sterling Order Management)
IBM Sterling Order Management Netty 4.1.34 vulnerablity

Source: CCN
Type: IBM Security Bulletin 6831849 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6980407 (Sterling Order Management)
Netty Vulnerabilites 4.0.37

Source: CCN
Type: IBM Security Bulletin 7001867 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-20445

Vulnerable Configuration:Configuration 1:
  • cpe:/a:netty:netty:*:*:*:*:*:*:*:* (Version < 4.1.44)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

    • Configuration 5:
  • cpe:/a:redhat:jboss_amq_clients:2:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/a:apache:spark:2.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:spark:2.4.8:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_test_workbench:9.2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_guardium_activity_monitor:10.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_guardium_activity_monitor:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_insights:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.bionic:def:2019204450000000
    V
    		CVE-2019-20445 on Ubuntu 18.04 LTS (bionic) - untriaged.
    2020-01-29
    oval:com.ubuntu.xenial:def:2019204450000000
    V
    		CVE-2019-20445 on Ubuntu 16.04 LTS (xenial) - untriaged.
    2020-01-29
    BACK
    netty netty *
    debian debian linux 8.0
    debian debian linux 9.0
    debian debian linux 10.0
    fedoraproject fedora 33
    canonical ubuntu linux 18.04
    redhat jboss amq clients 2
    redhat jboss enterprise application platform 7.2
    redhat jboss enterprise application platform 7.3
    redhat enterprise linux 6.0
    redhat enterprise linux 7.0
    redhat enterprise linux 8.0
    apache spark 2.4.7
    apache spark 2.4.8
    ibm tivoli netcool/omnibus 8.1.0
    ibm operations analytics predictive insights 1.3.6
    ibm rational test workbench 9.2.1.1
    ibm sterling b2b integrator 6.0.1.0
    ibm cloud transformation advisor 2.0.1
    ibm infosphere guardium activity monitor 10.6
    ibm infosphere guardium activity monitor 11.0
    ibm cloud private 3.2.1 cd
    ibm cloud private 3.2.2 cd
    ibm security guardium insights 2.0.1
    ibm sterling b2b integrator 6.1.0.0
    ibm planning analytics 2.0
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7
    ibm cloud pak for security 1.10.0.0