Christoph Schnepf created CASSANDRA-21481:
---------------------------------------------

             Summary: CVE's around Netty in Cassandra
                 Key: CASSANDRA-21481
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-21481
             Project: Apache Cassandra
          Issue Type: Bug
            Reporter: Christoph Schnepf


Hi,
we're running Cassandra 4.1(.11) and got a vulnerability report which lists 
e.g. CVE-2026-50010 due to the latest findings in Netty. I had a look and it 
seems it is not exploitable: Cassandra does not rely on Netty's flawed 
trust-manager hostname verification; it sets 
endpointIdentificationAlgorithm("HTTPS") directly on the SSLEngine 
(SocketFactory.java:227, active when require_endpoint_verification: true). The 
JSSE check runs independently of the vulnerable code path.

Is there a chance to bump netty-all from `4.1.58.Final` → `4.1.135.Final` and 
`netty-tcnative-boringssl-static` from `2.0.36.Final` → `2.0.70.Final`
or alternatively could we extend the suppression list? 

It was a scan of "Black Duck", which lists quite some vulnerabilities for Netty 
in general, for parts which are just not used in Cassandra 
(netty-codec-haproxy, -redis or -http2), like CVE-2026-44890, but still shows 
up in the netty-all bundle.

Thead in Slack: https://the-asf.slack.com/archives/CK23JSY2K/p1781524939161659



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to