CVE-2021-21409: 
Java vulnerability analysis and mitigation

Netty (io.netty:netty-codec-http2) before version 4.1.61.Final contains a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to true. This vulnerability was discovered in March 2021 and is tracked as CVE-2021-21409. This is a followup to CVE-2021-21295 which did not fully address all cases (GitHub Advisory).

The vulnerability exists in the HTTP/2 header validation logic where the content-length header is not properly validated when a request uses a single Http2HeaderFrame with endStream flag set to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The vulnerability has a CVSS v3.1 base score of 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (Debian Security).

If successfully exploited, this vulnerability could lead to request smuggling when requests are proxied and translated from HTTP/2 to HTTP/1.1. This could potentially allow an attacker to modify or inject data into the request stream, leading to security issues in downstream systems (GitHub Advisory).

The vulnerability was fixed in Netty version 4.1.61.Final. As a workaround before upgrading, users can implement custom validation by creating a ChannelInboundHandler that validates the header before proxying the request. The handler should be placed in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec (GitHub Advisory).

Multiple major projects and organizations responded to this vulnerability by upgrading their Netty dependencies, including Apache Pulsar, Apache Zookeeper, and Apache Flink. NetApp issued an advisory (NTAP-20210604-0003) addressing this vulnerability in their products (NetApp Advisory).