Is grizzly-http vulnerable to CVE-2024-45687?

[chschommer]

Hello all,

I ran an OWASP scan on our application and encountered a potential security alert related to grizzly. The scan flagged the following:

• File: tyrus-standalone-client-2.2.0.jar/META-INF/maven/org.glassfish.grizzly/grizzly-http/pom.xml
• Version: grizzly-http 4.0.2
• CVE: CVE-2024-45687
• Description: Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
• CVSSv2 Base Score: 2.4

The report indicates that this vulnerability is noted in the context of the Payara Platform (both Payara Server and Payara Micro), suggesting that some Grizzly modules may be involved in this issue. However, it’s not entirely clear whether grizzly-http itself is affected, if this is a false positive, or if a fix/mitigation is already in place. The whole case is a bit confusing for me.

This is my first issue report, so I apologize if I asked a stupid question or did something wrong. Could you please help clarify the following:

• Is grizzly-http 4.0.2 vulnerable to CVE-2024-45687, or does this report possibly represent a false positive?

• Do you know if this issue has been addressed in a more recent release, or is there a recommended mitigation?

Any guidance or additional details you could provide would be greatly appreciated.

Thank you for your time and support.

Best regards,
Christopher

[carryel]

@chschommer This issue is probably the same as the issue below.

#2212

This issue has been patched, but has not been officially released.
This means that it is not included in the current latest release, 4.0.2, and will be included in later versions.

In addition, for the currently applied version, it operates as false by default for compatibility, and it is set to operate only when an option is given.

ex) -Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110=true -Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110=true

I think the community needs to discuss when the official version with the patch will be released, and whether the default option will be changed to true.

[chschommer]

@carryel Thanks for your reply. Do you know if there is a schedule yet for the update?

[carryel]

@arjantijms Is there any upcoming release schedule?
How about releasing this security patch along with other PRs currently pending review?

[chschommer]

@arjantijms @carryel

I am sorry to bother you again. We are using Grizzly in one of our apps, and the annual approval coming up, that includes automatic vulnerability testing. While we all agree, this is a minor thing, the people doing the approval might not (because they are simply running the tests)

I understand maintaining an open-source project is a lot of work, and I don’t want to rush anything. However, if there’s any chance of releasing an updated version addressing this vulnerability soon, it would be very cool.

[carryel]

@chschommer Grizzly v4.1.0 will be released soon. cc @OndroMih

#2231

[OndroMih]

I’m sorry it takes so long to release this. Until recently, Grizzly was a separate project, with very few active committers. After it’s been merged into the GlassFish project, there are many more active committers who can release a new version, including me. And we plan a new release 4.1.0 this week.

[deven-github]

So is CVE-2024-45687 fix is released or releasing soon? We are waiting for that.

[carryel]

I reopened this issue because I thought it would be better to close it after Grizzly is released to track the issue.

@deven-github It hasn't been released yet, but I understand it's in preparation.
I'll keep an eye on the release. I'll let you know when it's released.

[carryel]

@deven-github If you have any thoughts on this #2231 (comment), could you please share your thoughts?