oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Netty/Play's Security Updates (CVE­-2015­-2156)

From: Luca Carettoni <luca.carettoni () ikkisoft com>
Date: Sat, 16 May 2015 17:08:22 -0700
During a recent assessment, we discovered a security flaw within Netty’s
cookie parsing code which leads to a universal HttpOnly bypass in Play
Framework and potentially other frameworks using Netty as a dependency.

The issue has been fixed in Netty 3.9.8.Final, 3.10.3.Final, Netty
4.1.0.Beta5, Netty 4.0.28.Final and Play Framework 2.3.9.

http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass

Technical details of the vulnerability:
http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156

Many other projects using Netty may be vulnerable to similar
"side­-effects" of the incorrect cookies parsing routine. We recommend that
every project relying on Netty’s CookieDecoder method should mitigate the
potential risk by upgrading to the latest version.

Cheers,
Luca

-- 

Luca Carettoni
Previous By Date Next
Previous By Thread Next

Current thread: