Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-4432

Upgrade version of netty-all due to DoS possibility

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.4.0
    • Fix Version/s: None
    • Component/s: Extensions

      Description

      As documented in CVE-2016-4970, netty-all < 4.0.37.Final is susceptible to a denial of service attack due to TLS renegotiation. While Apache NiFi does not directly reference OpenSslEngine in the code, usages of io.netty.netty-all should be upgraded.

      Current transitive dependencies containing netty-all:

      
      

      Current (absence of) direct usage of OpenSslEngine:

      Targets
          Occurrences of 'netty' in Project with mask '*.java'
      Found Occurrences  (29 usages found)
          Unclassified occurrence  (29 usages found)
              nifi-couchbase-processors  (4 usages found)
                  org.apache.nifi.processors.couchbase  (4 usages found)
                      PutCouchbaseKey.java  (2 usages found)
                          51 import com.couchbase.client.deps.io.netty.buffer.ByteBuf;
                          52 import com.couchbase.client.deps.io.netty.buffer.Unpooled;
                      TestGetCouchbaseKey.java  (2 usages found)
                          54 import com.couchbase.client.deps.io.netty.buffer.ByteBuf;
                          55 import com.couchbase.client.deps.io.netty.buffer.Unpooled;
              nifi-grpc-processors  (25 usages found)
                  org.apache.nifi.processors.grpc  (25 usages found)
                      InvokeGRPC.java  (7 usages found)
                          initializeClient(ProcessContext)  (4 usages found)
                              234 final NettyChannelBuilder nettyChannelBuilder = NettyChannelBuilder.forAddress(host, port)
                              269 nettyChannelBuilder.sslContext(sslContextBuilder.build());
                              272 nettyChannelBuilder.usePlaintext(true);
                              275 final ManagedChannel channel = nettyChannelBuilder.build();
                          62 import io.grpc.netty.GrpcSslContexts;
                          63 import io.grpc.netty.NettyChannelBuilder;
                          64 import io.netty.handler.ssl.SslContextBuilder;
                      ListenGRPC.java  (5 usages found)
                          startServer(ProcessContext)  (1 usage found)
                              185 NettyServerBuilder serverBuilder = NettyServerBuilder.forPort(port)
                          65 import io.grpc.netty.GrpcSslContexts;
                          66 import io.grpc.netty.NettyServerBuilder;
                          67 import io.netty.handler.ssl.ClientAuth;
                          68 import io.netty.handler.ssl.SslContextBuilder;
                      TestGRPCClient.java  (5 usages found)
                          buildChannel(String, int, Map<String, String>)  (1 usage found)
                              86 NettyChannelBuilder channelBuilder = NettyChannelBuilder.forAddress(host, port)
                          38 import io.grpc.netty.GrpcSslContexts;
                          39 import io.grpc.netty.NettyChannelBuilder;
                          40 import io.netty.handler.ssl.ClientAuth;
                          41 import io.netty.handler.ssl.SslContextBuilder;
                      TestGRPCServer.java  (7 usages found)
                          start(int)  (3 usages found)
                              90 final NettyServerBuilder nettyServerBuilder = NettyServerBuilder
                              131 nettyServerBuilder.sslContext(sslContextBuilder.build());
                              134 server = nettyServerBuilder.build().start();
                          35 import io.grpc.netty.GrpcSslContexts;
                          36 import io.grpc.netty.NettyServerBuilder;
                          37 import io.netty.handler.ssl.ClientAuth;
                          38 import io.netty.handler.ssl.SslContextBuilder;
                      TestInvokeGRPC.java  (1 usage found)
                          33 import io.netty.handler.ssl.ClientAuth;
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: