Netty 4.1.59 fixing temp file vulnerability (CVE-2021-21290) #7898
Comments
|
Does this vulnerability actually affect grpc, since based on that security advisory it seems only to be related to http? |
|
dependency-check-maven does complain as it finds the old and affected Netty POM in the grpc jar. One has to suppress the CVE for the Netty version included in that jar. |
|
Note that Netty 4.1.59 also has a vulnerability (GHSA-wm47-8v5p-wjpj), so Netty 4.1.60 should be used instead. |
|
And even to version 4.1.61 to resolve https://nvd.nist.gov/vuln/detail/CVE-2021-21409 as well. |
|
Any updates regarding the update of Netty. |
|
gRPC is not impacted by the multipart issue nor the request smuggling. It is safe to use grpc-netty-shaded. If you are using grpc-netty along with netty in your application, you'd have to see whether the rest of your application is impacted and upgrade Netty accordingly. gRPC was incompatible with Netty 4.1.60 when it was initially released, but that was resolved by #7953 . We have not done strenuous testing with the newer versions of Netty though. As I mention in #7953, we were unable to upgrade to versions before 4.1.61 because netty-jni-util was incompatible with static linking that is used in some environments. Concerning dependency-check-maven, I have no familiarity with that plugin, but it sounds like it is related to the pom.properties mention in #8077 . I might remove end up removing the pom.properties from grpc-netty-shaded. FWIW, we are working on updating Netty, but not for security reasons. |
Netty 4.1.59 has been released that fixes a local information disclosure vulnerability in Netty on Unix-like systems due temporary files: GHSA-5mcr-gq6c-3hq2
Please update the dependencies to Netty 41.59 and TcNative 2.0.36,
and update the table listing the known to work version combinations https://github.com/grpc/grpc-java/security/policy#netty .
The text was updated successfully, but these errors were encountered: