CVEDetect opened a new issue #723: URL: https://github.com/apache/servicecomb-pack/issues/723
Hi, In **servicecomb-pack/omega/omega-connector/omega-connector-grpc**,there is a dependency **io.netty:netty-common:4.1.35.Final** that calls the risk method. [CVE-2021-21290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290) The scope of this CVE affected version is **[,4.1.61.Final)** After further analysis, in this project, the main Api called is **<io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>** Risk method repair link : [GitHub](https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec) **CVE Bug Invocation Path--** **Path Length : 9** ``` <io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)> at <io.netty.util.internal.NativeLibraryLoader: void loadFirstAvailable(java.lang.ClassLoader,java.lang.String[])> (io.netty.util.internal.NativeLibraryLoader.java:[96]) in /.m2/repository/io/netty/netty-common/4.1.35.Final/netty-common-4.1.35.Final.jar at <io.netty.handler.ssl.OpenSsl: void loadTcNative()> (io.netty.handler.ssl.OpenSsl.java:[554]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar at <io.netty.handler.ssl.OpenSsl: void <clinit>()> (io.netty.handler.ssl.OpenSsl.java:[135]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslProvider defaultSslProvider()> (io.grpc.netty.GrpcSslContexts.java:[244, 254]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder configure(io.netty.handler.ssl.SslContextBuilder)> (io.grpc.netty.GrpcSslContexts.java:[171]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder forClient()> (io.grpc.netty.GrpcSslContexts.java:[120]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: com.google.common.base.Optional buildSslContext(org.apache.servicecomb.pack.omega.connector.grpc.AlphaClusterConfig)> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[129]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContext build()> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[71]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes ``` **Dependency tree--** ``` [INFO] org.apache.servicecomb.pack:omega-connector-grpc:jar:0.6.0 [INFO] +- io.grpc:grpc-protobuf:jar:1.22.0:compile [INFO] | +- io.grpc:grpc-api:jar:1.22.0:compile [INFO] | | +- io.grpc:grpc-context:jar:1.22.0:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.3.2:compile [INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.1:compile [INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile [INFO] | +- com.google.protobuf:protobuf-java:jar:3.7.1:compile [INFO] | +- com.google.guava:guava:jar:20.0:compile [INFO] | +- com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile [INFO] | \- io.grpc:grpc-protobuf-lite:jar:1.22.0:compile [INFO] +- io.grpc:grpc-netty:jar:1.22.0:compile [INFO] | +- io.grpc:grpc-core:jar:1.22.0:compile (version selected from constraint [1.22.0,1.22.0]) [INFO] | | +- com.google.code.gson:gson:jar:2.8.4:compile [INFO] | | +- com.google.android:annotations:jar:4.1.1.4:compile [INFO] | | +- io.perfmark:perfmark-api:jar:0.16.0:compile [INFO] | | +- io.opencensus:opencensus-api:jar:0.21.0:compile [INFO] | | \- io.opencensus:opencensus-contrib-grpc-metrics:jar:0.21.0:compile [INFO] | +- io.netty:netty-codec-http2:jar:4.1.35.Final:compile [INFO] | | +- io.netty:netty-common:jar:4.1.35.Final:compile [INFO] | | +- io.netty:netty-buffer:jar:4.1.35.Final:compile [INFO] | | +- io.netty:netty-transport:jar:4.1.35.Final:compile [INFO] | | | \- io.netty:netty-resolver:jar:4.1.35.Final:compile [INFO] | | +- io.netty:netty-codec:jar:4.1.35.Final:compile [INFO] | | +- io.netty:netty-handler:jar:4.1.35.Final:compile [INFO] | | \- io.netty:netty-codec-http:jar:4.1.35.Final:compile [INFO] | \- io.netty:netty-handler-proxy:jar:4.1.35.Final:compile [INFO] | \- io.netty:netty-codec-socks:jar:4.1.35.Final:compile [INFO] +- io.netty:netty-tcnative-boringssl-static:jar:2.0.25.Final:compile [INFO] +- org.apache.servicecomb.pack:omega-transaction:jar:0.6.0:compile [INFO] | +- org.apache.servicecomb.pack:pack-common:jar:0.6.0:compile [INFO] | +- org.apache.servicecomb.pack:omega-context:jar:0.6.0:compile [INFO] | +- org.aspectj:aspectjweaver:jar:1.8.10:compile [INFO] | +- javax.transaction:javax.transaction-api:jar:1.2:compile [INFO] | \- org.springframework:spring-core:jar:5.1.8.RELEASE:compile [INFO] | \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile [INFO] +- org.apache.servicecomb.pack:pack-contract-grpc:jar:0.6.0:compile [INFO] | \- io.grpc:grpc-stub:jar:1.22.0:compile [INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile ``` **_Suggested solutions:_** Update dependency version Thank you very much. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
