[ZOOKEEPER-3794] upgrade netty to address CVE-2020-11612 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.7.0, 3.6.1, 3.5.8
Component/s: security
Labels:
- pull-request-available

Description

The owasp checker is failing with the following. I looked and seems like a DOS attack vector "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder."

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] netty-handler-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-common-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-buffer-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-transport-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-resolver-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-codec-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-transport-native-epoll-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-transport-native-unix-common-4.1.45.Final.jar: CVE-2020-11612
[ERROR]

Attachments

Issue Links

is related to

HBASE-24149 Bump netty version to 4.1.48.Final

Resolved

links to

GitHub Pull Request #1319

Github Pull Request #1333

Activity

People

Assignee:: Patrick D. Hunt

Reporter:: Patrick D. Hunt

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 13/Apr/20 21:55

Updated:: 11/May/20 15:41

Resolved:: 15/Apr/20 09:49

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

50m