Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2450

Upgrade Netty version due to security vulnerability (CVE-2014-3488)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.4.8, 3.5.1, 3.6.0
    • Fix Version/s: 3.4.9, 3.5.2, 3.6.0
    • Component/s: security, server
    • Labels:
      None

      Description

      This JIRA recreates ZOOKEEPER-2432 which was deleted as the collateral damage during the spamming fighting effort Apache Infrastructure Team did weeks ago. Recreate the JIRA for the record so external documentations can link back to this JIRA.

      The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which is affected by this vulnerability.

      [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
      [2] http://netty.io/news/

        Attachments

          Activity

            People

            • Assignee:
              hanm Michael Han
              Reporter:
              hanm Michael Han
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: