Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade grpc netty due to security risks #8077

Closed
camjohson opened this issue Apr 12, 2021 · 11 comments
Closed

Upgrade grpc netty due to security risks #8077

camjohson opened this issue Apr 12, 2021 · 11 comments
Labels
question

Comments

@camjohson
Copy link

Hi!
In grpc 1.37.0 it seems like there is a security issue as below.

io.netty:netty-codec-http:4.1.52.Final:
"Netty contains a flaw in the AbstractDiskHttpData.delete() function in handler/codec/http/multipart/AbstractDiskHttpData.java that is triggered as temporary
file entries are added to the 'DeleteOnExitHook' object but not properly removed when processing POST requests that are 16 kB. This may allow a remote attacker
to exhaust available memory resources, potentially resulting in a denial of service."

Do you have any plan for upgrade grpc-netty (or grpc-netty-shaded) to a new version for netty-codec-http:4.1.53.Final?
@sanjaypujare
Copy link
Contributor

sanjaypujare commented Apr 12, 2021
edited

There is already an issue #7898 to track this. Can we close this as duplicate? #7953 also has some discussion related to netty upgrades.

@camjohson
Copy link
Author

Not sure.. we are using grpc-netty-shaded and it seems to bring in io.netty:netty-codec-http:4.1.52.Final ?
io.netty:netty-codec-http:4.1.52.Final gives a security high warning.
We would like a new grpc-netty-shaded version that use a later version of io.netty:netty-codec-http
Will those other issues fix that?

@sanjaypujare
Copy link
Contributor

netty will be upgraded to "one" version in the near future based on all such requirements. You talked about upgrading to 4.1.53.Final but it could be 4.1.60.Final so it is best to track this one issue and you can also add your comments in that one issue.

@camjohson
Copy link
Author

Yes, 4.1.60.Final will be good.
So do I understand you correct that there will be a new grpc-netty-shaded version like 1.37.1 in near future?
https://mvnrepository.com/artifact/io.grpc/grpc-netty-shaded

@sanjaypujare
Copy link
Contributor

It is unlikely to be a patch release like 1.37.1 and also I don't know how soon this will be done. CC @ejona86 who can throw some light on this

@ejona86
Copy link
Member

ejona86 commented Apr 13, 2021

gRPC is not impacted by that CVE, so there's no immediate need to update Netty within grpc-netty-shaded. If you are using Netty elsewhere in your application and are using grpc-netty, then there is the need to let you upgrade your application to a newer version to avoid the CVE in your application (because you could be using multipart). To that end grpc-java 1.35.1, 1.36.1, and 1.37.0 are compatible with Netty 4.1.60.Final.

Netty 4.1.60 was incompatible with some Bazel environments that build tcnative and netty-transport-epoll, so we'll need to upgrade to Netty 4.1.61+. That work is scheduled to happen soon, but the multipart CVE has no real impact on that.

@camjohson
Copy link
Author

camjohson commented Apr 14, 2021
edited

Ok.. we only depend on grpc-netty-shaded.
So in this case, do you mean that below warning does not affect grpc-netty-shaded?

"Netty contains a flaw in the AbstractDiskHttpData.delete() function in handler/codec/http/multipart/AbstractDiskHttpData.java that is triggered as temporary file entries are added to the 'DeleteOnExitHook' object but not properly removed when processing POST requests that are 16 kB. This may allow a remote attacker to exhaust available memory resources, potentially resulting in a denial of service."

@ejona86
Copy link
Member

ejona86 commented Apr 14, 2021

Yes. gRPC does not process multipart messages and does not use AbstractDiskHttpData.

@ejona86
Copy link
Member

ejona86 commented Apr 14, 2021

If you use grpc-netty-shaded, you shouldn't need a dependency on io.netty:netty-codec-http. You may investigate how that dependency is being introduced into your build.

@camjohson
Copy link
Author

We only have a dependency to grpc-netty-shaded.
But that jar file contains maven META-INF stuff. Like netty-codec-http pom.properties.
Are those things needed to be included in grpc-netty-shaded jar file?

@ejona86 ejona86 mentioned this issue May 11, 2021
Closed
ejona86 added a commit to ejona86/grpc-java that referenced this issue May 11, 2021
@ejona86
netty: Remove Maven pom.properties from netty-shaded
f2f0161 
The pom.properties are apparently present to allow tooling to know what
Maven artifact cooresponds to a JAR, just by looking at the JAR. Since
we shade Netty, that produces inaccurate results. This was brought up
in grpc#8077.
ejona86 added a commit to ejona86/grpc-java that referenced this issue May 11, 2021
@ejona86
netty: Remove Maven pom.properties from netty-shaded
cc95b98 
The pom.properties are apparently present to allow tooling to know what
Maven artifact cooresponds to a JAR, just by looking at the JAR. Since
we shade Netty, that produces inaccurate results. This was noticed in
in grpc#8077.
@ejona86 ejona86 mentioned this issue May 11, 2021
Merged
ejona86 added a commit that referenced this issue May 11, 2021
@ejona86
netty: Remove Maven pom.properties from netty-shaded
1882c47 
The pom.properties are apparently present to allow tooling to know what
Maven artifact cooresponds to a JAR, just by looking at the JAR. Since
we shade Netty, that produces inaccurate results. This was noticed in
in #8077.
@ejona86
Copy link
Member

ejona86 commented May 11, 2021

With #8165 removing the pom.properties, it seems there's no further issues here.

@ejona86 ejona86 closed this as completed May 11, 2021
ejona86 added a commit to ejona86/grpc-java that referenced this issue May 12, 2021
@ejona86
netty: Remove Maven pom.properties from netty-shaded
f4980dd 
The pom.properties are apparently present to allow tooling to know what
Maven artifact cooresponds to a JAR, just by looking at the JAR. Since
we shade Netty, that produces inaccurate results. This was noticed in
in grpc#8077.
ejona86 added a commit to ejona86/grpc-java that referenced this issue May 12, 2021
@ejona86
netty: Remove Maven pom.properties from netty-shaded
fefa57c 
The pom.properties are apparently present to allow tooling to know what
Maven artifact cooresponds to a JAR, just by looking at the JAR. Since
we shade Netty, that produces inaccurate results. This was noticed in
in grpc#8077.
@ejona86 ejona86 mentioned this issue May 12, 2021
Merged
ejona86 added a commit that referenced this issue May 12, 2021
@ejona86
netty: Remove Maven pom.properties from netty-shaded
9055e6d 
The pom.properties are apparently present to allow tooling to know what
Maven artifact cooresponds to a JAR, just by looking at the JAR. Since
we shade Netty, that produces inaccurate results. This was noticed in
in #8077.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ejona86 @sanjaypujare @camjohson