dill21yu opened a new issue, #17952: URL: https://github.com/apache/dolphinscheduler/issues/17952
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar feature requirement. ### Description Part of https://github.com/apache/dolphinscheduler/issues/15940 Current DolphinScheduler uses: <netty.version>4.1.53.Final</netty.version> Netty 4.1.53.Final is affected by an HTTP/2 protocol denial-of-service vulnerability (CVE-2023-44487). To mitigate this security risk, upgrade Netty to a fixed, supported release (proposed: 4.1.100.Final). **Vulnerability** Vulnerability name: HTTP/2 protocol denial-of-service CVE: CVE-2023-44487 Category: Denial of Service (protocol-level, HTTP/2) Impact: A malicious or malformed HTTP/2 stream can cause excessive resource consumption or connection disruption in Netty-based HTTP/2 servers/clients. **Recommended fix** Upgrade Netty to at least a version where CVE-2023-44487 is fixed. Proposed: 4.1.100.Final. Update the ${netty.version} property and any direct Netty dependency versions. Run full test suite and do smoke tests for HTTP/2-related components to ensure no regressions. Review any code that depends on Netty internals or on behavior that may have changed between 4.1.53 and 4.1.100; adjust if needed. If the project uses shaded or bundled Netty artifacts, ensure the shading/bundling is updated too. **References** NVD: [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) Netty releases: https://github.com/netty/netty/releases ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
