HTTP request smuggling vulnerability due to use of Netty
Affected product(s)
- Gradle Enterprise < 2021.4
- Gradle Enterprise Test Distribution Agent < 1.6.4
- Build Cache Node < 11.0
Severity
Moderate
Published at
2022-01-07
Related CVE ID(s)
Description
Gradle Enterprise components use the Netty library, which for versions <= 4.1.7.1.Final is vulnerable to HTTP request smuggling attacks.
Attackers can use HTTP request smuggling to attach “extra” HTTP requests to a legitimate-looking request. These extra requests can then be used in a variety of ways, including bypassing security controls in order to launch other attacks (such as accessing protected data or poisoning a cache). See CAPEC-33: HTTP Request Smuggling and this article from the Web Application Security Consortium for more information. No Gradle Enterprise specific attacks based on this general vulnerability are known of at this time.
This vulnerability is applicable to Gradle Enterprise components that accept HTTP traffic, and are not fronted by a proxy that does not have the same vulnerability.
The Gradle Enterprise application is not vulnerable as it includes a proxy that mitigates the problem, though it does include the vulnerable library.
The Gradle Enterprise Test Distribution Agent is not vulnerable as it does not serve HTTP requests, though it does include the vulnerable library.
The Gradle Enterprise built-in Build Cache Node is not vulnerable as it includes a proxy that mitigates the problem, though it does include the vulnerable library.
The Build Cache Node is vulnerable when used as a remote node, unless it is fronted by a network proxy that does not have the same vulnerability. Build Cache Node users not also using such a network proxy should upgrade as soon as possible.
Mitigation
Remote Build Cache Node deployments should be upgraded to version 11.0 or later, or be fronted with a network proxy that mitigates the vulnerability.
While not subject to the vulnerability, users should update to Gradle Enterprise 2021.4 or later, and Gradle Enterprise Test Distribution Agents 1.6.4 or later, to avoid the presence of the vulnerable library.