Bug#793770: Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156)

Moritz Muehlenhoff jmm at inutil.org
Mon Jan 9 22:37:40 UTC 2017


severity 793770 grave
thanks

On Mon, Jul 27, 2015 at 11:51:53AM +0200, Luca Bruno wrote:
> Source: netty-3.9
> Version: 3.9.0.Final-1
> Severity: important
> Tags: security upstream patch
> 
> LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty
> that could lead to universal bypass of the HttpOnly flag on cookies.
> 
> If the HttpOnly flag is included in the HTTP Set-Cookie response header,
> the cookie cannot usually be accessed through client-side script.
> This bug can be however leveraged to leak the cookie's name-value in the DOM,
> where a malicious script can access the content without any restriction.
> 
> CVE-2015-2156 has been assigned for this issue, which has been fixed upstream
> in release 3.9.8.Final and 3.10.3.Final.
> Please mention the CVE ID in the changelog when fixing this issue.
> 
> References:
>  * Security update
>    http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
>  * Issue technical details / PoC
>    http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
>  * Fixing commit
>    https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8

This is unfixed with a patch for nearly 1.5 years, can we please get this
fixed for the stretch release.

Cheers,
        Moritz



More information about the pkg-java-maintainers mailing list