Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-3363

CVE-2019-20445

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.9.0
    • 1.10.0
    • Channel

    Description

      flume-ng-core-1.9.0 requires the Netty component, and the required version is as follows:
      <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty</artifactId>
      <version>3.10.6.Final</version>
      </dependency>
      I think we should upgrade Netty to its latest version: netty-4.1.45.Final. The reasons are as follows:
      The CVE-2019-20445 vulnerability exists in netty-3.10.6.Final: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. For details see: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
       

      Attachments

        Issue Links

        is duplicated by

        Dependency upgrade - Upgrading a dependency to a newer version FLUME-3385 flume-ng-sdk uses Avro-IPC version with vulnerable version of Jetty

        • Major - Major loss of function.
        • Resolved

        Dependency upgrade - Upgrading a dependency to a newer version FLUME-3386 flume-ng-sdk uses vulnerable version of netty

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            dlzp dlzp
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment