Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update netty to 4.1.86.Final to remediate CVE-2022-41881 #3512

Closed
debraj-spotnana opened this issue Mar 1, 2023 · 6 comments
Closed

Update netty to 4.1.86.Final to remediate CVE-2022-41881 #3512

debraj-spotnana opened this issue Mar 1, 2023 · 6 comments
Labels
bug

Comments

@debraj-spotnana
Copy link

debraj-spotnana commented Mar 1, 2023
edited

zipkin is getting flagged in our security scans due to the presence of io.netty:netty-codec-haproxy:4.1.78.Final which has CVE-2022-41881 .

Is there any plan to upgrade io.netty:netty-codec-haproxy to 4.1.86.Final to get around this?
@rweinsteinPGH
Copy link

My organization tagging this as well, i know netty just got updated a few months ago to 4.1.78 but needs to get updated again to clear this issue, severity is High

@jcchavezs
Copy link
Contributor

jcchavezs commented Mar 3, 2023 via email

@debraj-manna
Copy link

@jcchavezs @llinder - Can you please let us know if zipkin is really effected by CVE-2022-41881 ?

darkmastermindz added a commit to darkmastermindz/zipkin that referenced this issue Jun 8, 2023
@darkmastermindz
chore(deps): Update netty from 4.1.78.Final to 4.1.92.Final
27076fa 
Bump to match Spring Boot v2.7.12
Remediates CVE-2022-41881 
Ref issue: openzipkin#3512
@darkmastermindz
Copy link
Contributor

darkmastermindz commented Jun 8, 2023
edited

Hi @jcchavezs @llinder

This CVE seems to be inherited from Spring Boot and resolved in Spring Boot v2.7.12.

I can confirm this is being picked up on my end as well as the only CVE left to remediate in Zipkin 2.24.2 although it uses v2.7.12 since it's specified in https://github.com/openzipkin/zipkin/blob/1acbc8651df50aa8200cbff725285a1cb1c759d9/pom.xml#LL57C1-L58C1

Opened PR with using netty 4.1.92.Final to match to see if there are any conflicts.

References:
spring-projects/spring-boot/issues/33580

@darkmastermindz darkmastermindz mentioned this issue Jun 8, 2023
Merged
darkmastermindz added a commit to darkmastermindz/zipkin that referenced this issue Jun 9, 2023
@darkmastermindz
chore(deps): Update netty from 4.1.78.Final to 4.1.86.Final
6c85423 
Bump netty version from 4.1.78.Final to 4.1.86.Final 
Remediates CVE-2022-41881
Ref issue: openzipkin#3512
@darkmastermindz darkmastermindz mentioned this issue Jun 9, 2023
Closed
@darkmastermindz
Copy link
Contributor

@jcchavezs @llinder I think we should favor should bumping to 4.1.92.Final #3548 to match the current Spring Boot version.
Wanted to compare with the CI with 4.1.86.Final in #3549 - @shakuzen mentioned that there was a test broken unrelated to this change.

darkmastermindz added a commit to darkmastermindz/zipkin that referenced this issue Jul 23, 2023
@darkmastermindz
Bump netty version to 4.1.95.Final and match Spring Boot v2.7.14
5121e4a 
Remediates CVE-2022-41881, CVE-2023-34462
Ref issue: openzipkin#3512
llinder pushed a commit that referenced this issue Aug 1, 2023
@darkmastermindz
chore(deps): Update netty from 4.1.78.Final to 4.1.95.Final (#3548)
56a88df 
* chore(deps): Update netty from 4.1.78.Final to 4.1.92.Final

Bump to match Spring Boot v2.7.12
Remediates CVE-2022-41881 
Ref issue: #3512

* Bump netty version to 4.1.95.Final and match Spring Boot v2.7.14
Remediates CVE-2022-41881, CVE-2023-34462
Ref issue: #3512
@codefromthecrypt
Copy link
Member

latest version of zipkin has all netty CVEs addressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@codefromthecrypt @jcchavezs @rweinsteinPGH @darkmastermindz @debraj-spotnana @debraj-manna