New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Netty 4.1.59 fixing temp file vulnerability (CVE-2021-21290) #7898
Comments
Does this vulnerability actually affect grpc, since based on that security advisory it seems only to be related to http? |
dependency-check-maven does complain as it finds the old and affected Netty POM in the grpc jar. One has to suppress the CVE for the Netty version included in that jar. |
Note that Netty 4.1.59 also has a vulnerability (GHSA-wm47-8v5p-wjpj), so Netty 4.1.60 should be used instead. |
And even to version 4.1.61 to resolve https://nvd.nist.gov/vuln/detail/CVE-2021-21409 as well. |
Any updates regarding the update of Netty. |
gRPC is not impacted by the multipart issue nor the request smuggling. It is safe to use grpc-netty-shaded. If you are using grpc-netty along with netty in your application, you'd have to see whether the rest of your application is impacted and upgrade Netty accordingly. gRPC was incompatible with Netty 4.1.60 when it was initially released, but that was resolved by #7953 . We have not done strenuous testing with the newer versions of Netty though. As I mention in #7953, we were unable to upgrade to versions before 4.1.61 because netty-jni-util was incompatible with static linking that is used in some environments. Concerning dependency-check-maven, I have no familiarity with that plugin, but it sounds like it is related to the pom.properties mention in #8077 . I might remove end up removing the pom.properties from grpc-netty-shaded. FWIW, we are working on updating Netty, but not for security reasons. |
Netty 4.1.59 has been released that fixes a local information disclosure vulnerability in Netty on Unix-like systems due temporary files: GHSA-5mcr-gq6c-3hq2
Please update the dependencies to Netty 41.59 and TcNative 2.0.36,
and update the table listing the known to work version combinations https://github.com/grpc/grpc-java/security/policy#netty .
The text was updated successfully, but these errors were encountered: