Update netty version to fix CVE-2021-21290#7939
Conversation
Upgrade the netty version to remediate the [CVE-2021-21290](https://nvd.nist.gov/vuln/detail/CVE-2021-21290) vulnerability.
|
|
ejona86
left a comment
ejona86
left a comment
There was a problem hiding this comment.
A Netty upgrade is not this easy. Mainly, we need to run extensive tests and resolve any issues found. That's something we'd need to handle.
There's also many other places that need to be updated, and the version of netty-tcnative commonly needs to be updated as well. An example: 720df64
gRPC does not appear impacted by CVE-2021-21290. If you need 4.1.59 you can either limit the old version of netty to grpc with grpc-netty-shaded or you can exclude the grpc transitive dependencies on netty and depend on the newer netty version yourself.
| List<Status.Code> codeOptions = Arrays.asList( | ||
| Status.Code.UNKNOWN, Status.Code.RESOURCE_EXHAUSTED, Status.Code.INTERNAL); | ||
| Status.Code.UNKNOWN, Status.Code.RESOURCE_EXHAUSTED, Status.Code.INTERNAL, | ||
| Status.Code.UNAVAILABLE); |
There was a problem hiding this comment.
We'd need to look into why a new status code is being used. That may be a bug.
| @Override | ||
| @org.junit.Test | ||
| @org.junit.Ignore | ||
| public void clientChecksInboundMetadataSize_trailer() { |
There was a problem hiding this comment.
It looks like this could be made separately, since it actually has nothing to do with this particular upgrade of Netty.
|
There is a new CVE on netty, CVE-2021-21409. |
|
CVE-2021-21409 is a followup to further fix to CVE-2021-21290. It similarly doesn't impact gRPC. I will say soon after this PR was created I did try to run some of our extensive tests with a newer Netty but ran up against netty/netty-jni-util#5 . That was addressed in Netty 4.1.61.Final/Netty-tcnative 2.0.37.Final, so we will be trying again. |
|
#8167 bumped the version of Netty to 4.1.63. |
3 participants
Upgrade the netty version to remediate the CVE-2021-21290 vulnerability.