[ 
https://issues.apache.org/jira/browse/CASSANDRA-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christoph Schnepf updated CASSANDRA-21481:
------------------------------------------
    Description: 
Hi,
we're running Cassandra 4.1(.11) and got a vulnerability report which lists 
e.g. CVE-2026-50010 due to the latest findings in Netty. I had a look and it 
seems it is not exploitable: Cassandra does not rely on Netty's flawed 
trust-manager hostname verification; it sets 
endpointIdentificationAlgorithm("HTTPS") directly on the SSLEngine 
(SocketFactory.java:227, active when require_endpoint_verification: true). The 
JSSE check runs independently of the vulnerable code path.

Is there a chance to bump _netty-all_ from *4.1.58.Final* → *4.1.135.Final* and 
_netty-tcnative-boringssl-static_ from *2.0.36.Final* → *2.0.70.Final*
or alternatively could we extend the suppression list? 

It was a scan of "Black Duck", which lists quite some vulnerabilities for Netty 
in general, for parts which are just not used in Cassandra 
(netty-codec-haproxy, -redis or -http2), like CVE-2026-44890, but still shows 
up in the netty-all bundle.

Thead in Slack: https://the-asf.slack.com/archives/CK23JSY2K/p1781524939161659

  was:
Hi,
we're running Cassandra 4.1(.11) and got a vulnerability report which lists 
e.g. CVE-2026-50010 due to the latest findings in Netty. I had a look and it 
seems it is not exploitable: Cassandra does not rely on Netty's flawed 
trust-manager hostname verification; it sets 
endpointIdentificationAlgorithm("HTTPS") directly on the SSLEngine 
(SocketFactory.java:227, active when require_endpoint_verification: true). The 
JSSE check runs independently of the vulnerable code path.

Is there a chance to bump netty-all from `4.1.58.Final` → `4.1.135.Final` and 
`netty-tcnative-boringssl-static` from `2.0.36.Final` → `2.0.70.Final`
or alternatively could we extend the suppression list? 

It was a scan of "Black Duck", which lists quite some vulnerabilities for Netty 
in general, for parts which are just not used in Cassandra 
(netty-codec-haproxy, -redis or -http2), like CVE-2026-44890, but still shows 
up in the netty-all bundle.

Thead in Slack: https://the-asf.slack.com/archives/CK23JSY2K/p1781524939161659


> CVE's around Netty in Cassandra
> -------------------------------
>
>                 Key: CASSANDRA-21481
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-21481
>             Project: Apache Cassandra
>          Issue Type: Bug
>            Reporter: Christoph Schnepf
>            Priority: Normal
>
> Hi,
> we're running Cassandra 4.1(.11) and got a vulnerability report which lists 
> e.g. CVE-2026-50010 due to the latest findings in Netty. I had a look and it 
> seems it is not exploitable: Cassandra does not rely on Netty's flawed 
> trust-manager hostname verification; it sets 
> endpointIdentificationAlgorithm("HTTPS") directly on the SSLEngine 
> (SocketFactory.java:227, active when require_endpoint_verification: true). 
> The JSSE check runs independently of the vulnerable code path.
> Is there a chance to bump _netty-all_ from *4.1.58.Final* → *4.1.135.Final* 
> and _netty-tcnative-boringssl-static_ from *2.0.36.Final* → *2.0.70.Final*
> or alternatively could we extend the suppression list? 
> It was a scan of "Black Duck", which lists quite some vulnerabilities for 
> Netty in general, for parts which are just not used in Cassandra 
> (netty-codec-haproxy, -redis or -http2), like CVE-2026-44890, but still shows 
> up in the netty-all bundle.
> Thead in Slack: https://the-asf.slack.com/archives/CK23JSY2K/p1781524939161659



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to