Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2450

Upgrade Netty version due to security vulnerability (CVE-2014-3488)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 3.4.8, 3.5.1, 3.6.0
    • 3.4.9, 3.5.2, 3.6.0
    • security, server
    • None

    Description

      This JIRA recreates ZOOKEEPER-2432 which was deleted as the collateral damage during the spamming fighting effort Apache Infrastructure Team did weeks ago. Recreate the JIRA for the record so external documentations can link back to this JIRA.

      The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message [1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which is affected by this vulnerability.

      [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
      [2] http://netty.io/news/

      Attachments

        Activity

          People

            hanm Michael Han
            hanm Michael Han
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: