Netty is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual whitespaces before the colon in HTTP headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. IBM Performance Management has addressed the applicable CVE.
CVEID:CVE-2019-16869
**DESCRIPTION:**Netty is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual whitespaces before the colon in HTTP headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167672 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud APM | 8.1.4 |
IBM Cloud APM, Advanced Private | 8.1.4 |
IBM Cloud APM, Base Private | 8.1.4 |
IBM Cloud Application Performance Management, Base Private
IBM Cloud Application Performance Management, Advanced Private| 8.1.4|
The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0010 or later server patch to the system where the Cloud APM server is installed: <https://www.ibm.com/support/pages/node/6120993>
The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-GATEWAY-IF0008 or later Hybrid Gateway patch to the system where the Hybrid Gateway is installed: <https://www.ibm.com/support/pages/node/6125031>
—|—|—
IBM Cloud Application Performance Management
| N/A|
The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-GATEWAY-IF0008 or later Hybrid Gateway patch to the system where the Hybrid Gateway is installed: <https://www.ibm.com/support/pages/node/6125031>
None