It looks like that CVE only affects io.netty:netty-codec-http2. Since our
hbase-shaded-netty depends on netty-all, that module is included. However,
I don't think we use anything from netty-codec-http2. So I don't think the
CVE is a risk for this usage, unless you are building an app using the
org.apache.hbase.thirdparty.io.netty classes. This would not be advised.

That said, we could try to bump hbase-thirdparty to 4.1.100+ and include
that in the upcoming 2.6.0 or 2.5.8 when that happens. If the CVE were
critical we could rush out another minor release, but I don't think it's
necessary here? I also wonder if we should update hbase-shaded-netty to
only pull in the netty modules we actually use.

On Thu, Jan 4, 2024 at 11:14 AM Dan Huff <dan.h...@dremio.com.invalid>
wrote:

> Thanks Bryan. That does help explain things. I have been looking at
> https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p and
> have been trying to determine if hbase is vulnerable to this attack vector
> or not. I got excited when I saw 4.1.100.Final in 2.5.7 but it sounds like
> that excitement was misplaced :)
>
> Dan
>
> On Tue, Jan 2, 2024 at 12:54 PM Bryan Beaudreault <bbeaudrea...@apache.org
> >
> wrote:
>
> > Hello,
> >
> > As the comment above the netty version change says, this only affects the
> > transitive netty dependencies from thirdparty dependencies like zookeeper
> > and hadoop. HBase's internal netty usage (i.e. for HBase's RPC protocol)
> > uses the shaded netty provided by hbase-thirdparty.
> >
> > While you're generally correct that in maven you'd expect a version
> defined
> > in dependencyManagement to affect all transitive dependencies, that is
> not
> > the case for hbase-thirdparty due to the shading we do there. At the time
> > of building hbase-thirdparty, the defined netty version there is pulled
> in
> > and relocated to org.apache.hbase.thirdparty.io.netty and published as a
> > new maven module named hbase-shaded-netty. As such, the
> > dependencyManagement has no effect on it.
> >
> > I hope this helps
> >
> > On Tue, Jan 2, 2024 at 2:40 PM Dan Huff <dan.h...@dremio.com.invalid>
> > wrote:
> >
> > > Hello there Hbase Devs--
> > >
> > > I have been investigating taking an update to Hbase 2.5.7 after the
> > release
> > > last week and have what I hope is a quick question about commit 7639345
> > > <
> > >
> >
> https://github.com/apache/hbase/commit/7639345a970636e7a9eb7adf6d84dadd6f3fccb9
> > > >
> > > in
> > > branch-2.5.
> > >
> > > Am I correct in believing that the direct inclusion of netty
> > 4.1.100.Final
> > > in Hbase's pom.xml will override the 4.1.97.Final version that is
> > > specified in hbase-thirdparty
> > > <
> https://github.com/apache/hbase-thirdparty/blob/rel/4.1.5/pom.xml#L137
> > >?
> > > I
> > > see 4.1.100.Final listed on
> > > https://hbase.apache.org/dependency-management.html which to me
> suggests
> > > that I am understanding this correctly that issues flagged against
> > > 4.1.97.Final can be ignored since Hbase will now just use
> 4.1.100.Final.
> > >
> > > Thanks so much for your time,
> > >
> > > Dan Huff
> > >
> >
>

Reply via email to