CVE-2024-9622: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2024-9622) was discovered in the resteasy-netty4 library related to improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request containing an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. The vulnerability was disclosed on October 8, 2024 and affects the resteasy-netty4 library (NVD).

The vulnerability occurs when the Netty HttpObjectDecoder transitions into the BAD_MESSAGE state after processing a smuggled request containing an ASCII control character. While the system correctly responds with a 400 Bad Request, it includes a Connection: keep-alive header, allowing the connection to persist in a bad state. This causes subsequent legitimate requests on the same connection to be ignored by the HttpObjectDecoder (GitHub Discussion). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability causes subsequent legitimate requests on the affected connection to be ignored, leading to client timeouts. This is particularly problematic in environments using load balancers, where the connection in a bad state might be reused later for legitimate client requests, potentially causing service disruption (GitHub Discussion).

Two potential fixes have been proposed: 1) Sending a Connection: close response header to ensure the client closes the connection after receiving the 400 Bad Request, or 2) Calling HttpObjectDecoder.reset() to clear the bad state and allow the decoder to process subsequent requests properly. A fix is being tracked under RESTEASY-3553 (GitHub Discussion).