[jira] [Resolved] (HBASE-29655) Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.

Thu, 30 Oct 2025 03:25:10 -0700 


     [ 
https://issues.apache.org/jira/browse/HBASE-29655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nihal Jain resolved HBASE-29655.
--------------------------------
    Resolution: Duplicate

> Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.
> -------------------------------------------------------------------
>
>                 Key: HBASE-29655
>                 URL: https://issues.apache.org/jira/browse/HBASE-29655
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Xavier Fernandis
>            Assignee: Xavier Fernandis
>            Priority: Major
>
> *ISSUE SUMMARY*
> HBase master branch uses Netty 4.1.123.Final which contains 2 active CVEs 
> that require immediate attention.
> Both vulnerabilities are network-exploitable DoS attacks that could impact 
> production systems.
>  
> *CURRENT SITUATION*
>  - Current Version: io.netty:netty-all:4.1.123.Final (used via 
> hbase-thirdparty 4.1.12)
>  - Location: org.apache.hbase.thirdparty:hbase-shaded-netty
>  - Vulnerabilities Found: 2 active CVEs
>  - Risk Level: HIGH (network-exploitable DoS attacks)
>  
> *VULNERABILITY DETAILS*
> 1. {color:#ff0000}*CVE-2025-58057*{color} - Decompression DoS Attack
>  - CVSS Score: 6.9 (Moderate)
>  - Affected Versions: Netty <= 4.1.124.Final
>  - Fixed Version: 4.1.125.Final
>  - Reference: 
> [https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]
>  
> 2. {color:#ff0000}*CVE-2025-55163*{color} - MadeYouReset HTTP/2 DDoS
>  - CVSS Score: Moderate
>  - Affected Versions: netty-codec-http2 <= 4.1.123.Final  
>  - Fixed Version: 4.1.124.Final
>  - Attack Vector: Network-based HTTP/2 protocol vulnerability
>  - Reference: 
> [https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]
>  
> *IMPACT ASSESSMENT*
> HBase uses netty-all which is a fat jar containing ALL Netty modules, 
> including:
>  - netty-codec-http2 (vulnerable to CVE-2025-55163)
>  - netty-codec with decompression codecs (vulnerable to CVE-2025-58057)
> *Dependency Chain:*
> HBase -> org.apache.hbase.thirdparty:hbase-shaded-netty -> 
> io.netty:netty-all:4.1.123.Final
> *RECOMMENDED SOLUTION*
> Immediate Action Required:
> 1. Upgrade Netty to 4.1.125.Final - This fixes both CVEs
> *REFERENCES*
>  - Netty Security Advisories: 
> [https://github.com/netty/netty/security/advisories]
>  - CVE-2025-58057: 
> [https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]
>  - CVE-2025-55163: 
> [https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]
>  - HBase Thirdparty: [https://github.com/apache/hbase-thirdparty]
>  - HBase Main: [https://github.com/apache/hbase]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to