[jira] [Commented] (HADOOP-18825) Address Netty 4.x / CWE-295 by configuring hostname verification

Eugene Shinn (Truveta) (Jira) Thu, 24 Aug 2023 13:35:04 -0700


    [ 
https://issues.apache.org/jira/browse/HADOOP-18825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17758727#comment-17758727
 ]


Eugene Shinn (Truveta) commented on HADOOP-18825:
-------------------------------------------------

Pinging to bring back to top of stack for potential triage and update.

> Address Netty 4.x / CWE-295 by configuring hostname verification
> ----------------------------------------------------------------
>
>                 Key: HADOOP-18825
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18825
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.6
>            Reporter: Eugene Shinn (Truveta)
>            Priority: Minor
>
> Our SAST tool has picked up that the version of Netty 4.x used by Hadoop is 
> vulnerable to [Security Vulnerability - Common Weakness Enumeration (CWE) 
> CWE-295 · Issue #9930 · netty/netty 
> (github.com)|https://github.com/netty/netty/issues/9930]. Until Netty 5 is 
> released (which will enable it by default), the remediation is to enable host 
> name verification ([SslContext (Netty API Reference 
> (4.1.95.Final))|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-]).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18825) Address Netty 4.x / CWE-295 by configuring hostname verification

Reply via email to