monologuist opened a new issue, #3648: URL: https://github.com/apache/amoro/issues/3648
### Search before asking - [x] I have searched in the [issues](https://github.com/apache/amoro/issues?q=is%3Aissue) and found no similar issues. ### What would you like to be improved? NVD reported a HTTP/2 protocol denial of service vulnerability (CVE-2023-44487)[1]. In this vulnerability, a malicious attacker can open multiple request streams and immediately cancel the request by sending a RST_STREAM frame. This method can bypass the concurrent stream limit and cause rapid consumption of server resources. I see that the dependencies of netty (4.1.86.Final) and jetty (9.4.51.v20230217) in our 0.7+ versions are all in the vulnerable version: Vulnerability impact: netty <= 4.1.100 jetty <= 9.4.53 10.0.0 <= jetty <= 10.0.17 11.0.0 <= jetty <= 11.0.17 12.0.0 <= jetty <= 12.0.2 I recommend upgrading the versions of jetty and netty in the amoro project to the released fixed versions to avoid the security impact of this vulnerability. [1] https://nvd.nist.gov/vuln/detail/cve-2023-44487 ### How should we improve? Update <netty.version>4.1.86.Final</netty.version> in the amoro root directory to version 4.1.101.Final Update <javalin.version>4.6.8</javalin.version> in the amoro root directory to version 6.0.0, because of jetty is introduced through this dependency. <img width="899" alt="Image" src="https://github.com/user-attachments/assets/6ec6b264-1bae-433e-bf43-f587fee8ec90"; /> ### Are you willing to submit PR? - [x] Yes I am willing to submit a PR! ### Subtasks _No response_ ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
