Disha Talreja created ATLAS-4806: ------------------------------------ Summary: Upgrade netty to 4.1.100.Final due to CVE-2023-44487 Key: ATLAS-4806 URL: https://issues.apache.org/jira/browse/ATLAS-4806 Project: Atlas Issue Type: Task Components: atlas-core Reporter: Disha Talreja Assignee: Disha Talreja
CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. *Base Score:* [7.5 HIGH|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-44487&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1&source=NIST] There is a known exploit for this vulnerability, so we need to prioritise this despite it being a High severity CVE and not a critical. [https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p] h4. -- This message was sent by Atlassian Jira (v8.20.10#820010)