Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update netty version to fix CVE-2021-21290 #7939

Closed
wants to merge 2 commits into from
Closed

Update netty version to fix CVE-2021-21290 #7939

wants to merge 2 commits into from

Conversation

kwart
Copy link

@kwart kwart commented Mar 4, 2021

Upgrade the netty version to remediate the CVE-2021-21290 vulnerability.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 4, 2021
edited

CLA Signed

The committers are authorized under a signed CLA.

@olukas olukas mentioned this pull request Mar 4, 2021
Open
ejona86
ejona86 reviewed Mar 8, 2021
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Netty upgrade is not this easy. Mainly, we need to run extensive tests and resolve any issues found. That's something we'd need to handle.

There's also many other places that need to be updated, and the version of netty-tcnative commonly needs to be updated as well. An example: 720df64

gRPC does not appear impacted by CVE-2021-21290. If you need 4.1.59 you can either limit the old version of netty to grpc with grpc-netty-shaded or you can exclude the grpc transitive dependencies on netty and depend on the newer netty version yourself.

core/src/test/java/io/grpc/internal/AbstractTransportTest.java
@@ -1920,7 +1920,8 @@ public void serverChecksInboundMetadataSize() throws Exception {
// If this times out, the server probably isn't noticing the metadata size
Status status = clientStreamListener.status.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);
List<Status.Code> codeOptions = Arrays.asList(
Status.Code.UNKNOWN, Status.Code.RESOURCE_EXHAUSTED, Status.Code.INTERNAL);
Status.Code.UNKNOWN, Status.Code.RESOURCE_EXHAUSTED, Status.Code.INTERNAL,
Status.Code.UNAVAILABLE);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd need to look into why a new status code is being used. That may be a bug.

okhttp/src/test/java/io/grpc/okhttp/OkHttpTransportTest.java
@Override
@org.junit.Test
@org.junit.Ignore
public void clientChecksInboundMetadataSize_trailer() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this could be made separately, since it actually has nothing to do with this particular upgrade of Netty.

@mbard
Copy link

mbard commented Apr 23, 2021

There is a new CVE on netty, CVE-2021-21409.
That requires update to 4.1.61.Final to solve it

@ejona86
Copy link
Member

ejona86 commented Apr 23, 2021

CVE-2021-21409 is a followup to further fix to CVE-2021-21290. It similarly doesn't impact gRPC.

I will say soon after this PR was created I did try to run some of our extensive tests with a newer Netty but ran up against netty/netty-jni-util#5 . That was addressed in Netty 4.1.61.Final/Netty-tcnative 2.0.37.Final, so we will be trying again.

@ejona86
Copy link
Member

ejona86 commented Sep 21, 2021

#8167 bumped the version of Netty to 4.1.63.

@ejona86 ejona86 closed this Sep 21, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ejona86 ejona86 ejona86 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kwart @mbard @ejona86