oss-sec mailing list archives
Netty/Play's Security Updates (CVE-2015-2156)
From: Luca Carettoni <luca.carettoni () ikkisoft com>
Date: Sat, 16 May 2015 17:08:22 -0700
During a recent assessment, we discovered a security flaw within Netty’s cookie parsing code which leads to a universal HttpOnly bypass in Play Framework and potentially other frameworks using Netty as a dependency. The issue has been fixed in Netty 3.9.8.Final, 3.10.3.Final, Netty 4.1.0.Beta5, Netty 4.0.28.Final and Play Framework 2.3.9. http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass Technical details of the vulnerability: http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 Many other projects using Netty may be vulnerable to similar "side-effects" of the incorrect cookies parsing routine. We recommend that every project relying on Netty’s CookieDecoder method should mitigate the potential risk by upgrading to the latest version. Cheers, Luca -- Luca Carettoni
Current thread:
- Netty/Play's Security Updates (CVE-2015-2156) Luca Carettoni (May 16)