New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update netty version to fix CVE-2021-21290 #7939
Conversation
Upgrade the netty version to remediate the [CVE-2021-21290](https://nvd.nist.gov/vuln/detail/CVE-2021-21290) vulnerability.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A Netty upgrade is not this easy. Mainly, we need to run extensive tests and resolve any issues found. That's something we'd need to handle.
There's also many other places that need to be updated, and the version of netty-tcnative commonly needs to be updated as well. An example: 720df64
gRPC does not appear impacted by CVE-2021-21290. If you need 4.1.59 you can either limit the old version of netty to grpc with grpc-netty-shaded or you can exclude the grpc transitive dependencies on netty and depend on the newer netty version yourself.
@@ -1920,7 +1920,8 @@ public void serverChecksInboundMetadataSize() throws Exception { | |||
// If this times out, the server probably isn't noticing the metadata size | |||
Status status = clientStreamListener.status.get(TIMEOUT_MS, TimeUnit.MILLISECONDS); | |||
List<Status.Code> codeOptions = Arrays.asList( | |||
Status.Code.UNKNOWN, Status.Code.RESOURCE_EXHAUSTED, Status.Code.INTERNAL); | |||
Status.Code.UNKNOWN, Status.Code.RESOURCE_EXHAUSTED, Status.Code.INTERNAL, | |||
Status.Code.UNAVAILABLE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'd need to look into why a new status code is being used. That may be a bug.
@Override | ||
@org.junit.Test | ||
@org.junit.Ignore | ||
public void clientChecksInboundMetadataSize_trailer() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this could be made separately, since it actually has nothing to do with this particular upgrade of Netty.
There is a new CVE on netty, CVE-2021-21409. |
CVE-2021-21409 is a followup to further fix to CVE-2021-21290. It similarly doesn't impact gRPC. I will say soon after this PR was created I did try to run some of our extensive tests with a newer Netty but ran up against netty/netty-jni-util#5 . That was addressed in Netty 4.1.61.Final/Netty-tcnative 2.0.37.Final, so we will be trying again. |
#8167 bumped the version of Netty to 4.1.63. |
Upgrade the netty version to remediate the CVE-2021-21290 vulnerability.