[jira] [Updated] (HBASE-29655) Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.

[Xavier Fernandis (Jira)]

     [ 
https://issues.apache.org/jira/browse/HBASE-29655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xavier Fernandis updated HBASE-29655:
-------------------------------------
    Description: 
*ISSUE SUMMARY*
HBase master branch uses Netty 4.1.123.Final which contains 2 active CVEs that 
require immediate attention.
Both vulnerabilities are network-exploitable DoS attacks that could impact 
production systems.

 

*CURRENT SITUATION*
- Current Version: io.netty:netty-all:4.1.123.Final (used via hbase-thirdparty 
4.1.12)
- Location: org.apache.hbase.thirdparty:hbase-shaded-netty
- Vulnerabilities Found: 2 active CVEs
- Risk Level: HIGH (network-exploitable DoS attacks)

 

*VULNERABILITY DETAILS*

1. {color:#FF0000}*CVE-2025-58057*{color} - Decompression DoS Attack
- CVSS Score: 6.9 (Moderate)
- Affected Versions: Netty <= 4.1.124.Final
- Fixed Version: 4.1.125.Final
- Reference: 
https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj

 

2. *CVE-2025-55163* - MadeYouReset HTTP/2 DDoS
- CVSS Score: Moderate
- Affected Versions: netty-codec-http2 <= 4.1.123.Final  
- Fixed Version: 4.1.124.Final
- Attack Vector: Network-based HTTP/2 protocol vulnerability
- Reference: 
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4

 

*IMPACT ASSESSMENT*

HBase uses netty-all which is a fat jar containing ALL Netty modules, including:
- netty-codec-http2 (vulnerable to CVE-2025-55163)
- netty-codec with decompression codecs (vulnerable to CVE-2025-58057)


*Dependency Chain:*
HBase -> org.apache.hbase.thirdparty:hbase-shaded-netty -> 
io.netty:netty-all:4.1.123.Final


*RECOMMENDED SOLUTION*

Immediate Action Required:
1. Upgrade Netty to 4.1.125.Final - This fixes both CVEs


*REFERENCES*
- Netty Security Advisories: https://github.com/netty/netty/security/advisories
- CVE-2025-58057: 
https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
- CVE-2025-55163: 
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
- HBase Thirdparty: https://github.com/apache/hbase-thirdparty
- HBase Main: https://github.com/apache/hbase
- Similar Issue Reference: https://issues.apache.org/jira/browse/HBASE-29651

 

  was:
### __Current Situation__

- __Current Version__: `io.netty:netty-all:4.1.123.Final` (used via 
hbase-thirdparty)
- __Vulnerabilities Found__: 2 active CVEs
- __Risk Level__: HIGH (network-exploitable DoS attacks)

### __CVE Details__

#### __1. CVE-2025-58057 - Decompression DoS Attack__

- __CVSS Score__: 6.9 (Moderate)
- __Affected Versions__: Netty <= 4.1.124.Final
- __Fixed Version__: 4.1.125.Final
- __Attack Vector__: Network-based, no authentication required
- __Impact__: Denial of Service via zip bomb style attack in BrotliDecoder and 
other decompression codecs
- __Reference__: 
[](https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj)<https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj>

#### __2. CVE-2025-55163 - MadeYouReset HTTP/2 DDoS__

- __CVSS Score__: Moderate
- __Affected Versions__: netty-codec-http2 <= 4.1.123.Final
- __Fixed Version__: 4.1.124.Final
- __Attack Vector__: Network-based HTTP/2 protocol vulnerability
- __Impact__: Allows unbounded concurrent streams leading to resource exhaustion
- __Reference__: 
[](https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4)<https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4>

### __Why HBase is Affected__

HBase uses `netty-all` which is a fat jar containing ALL Netty modules, 
including:

- `netty-codec-http2` (vulnerable to CVE-2025-55163)
- `netty-codec` with decompression codecs (vulnerable to CVE-2025-58057)

### __Fix Recommendations__

#### __Immediate Action Required__

1. __Upgrade Netty to 4.1.125.Final__ - This fixes both CVEs

2. __Two-step upgrade process required__:

   - First: Update hbase-thirdparty repository
   - Second: Update main HBase to use new hbase-thirdparty version

#### __Technical Implementation__

1. __hbase-thirdparty changes__:

   - Repository: 
[](https://github.com/apache/hbase-thirdparty)<https://github.com/apache/hbase-thirdparty>
   - Update `${netty.version}` property to `4.1.125.Final`
   - Release new hbase-thirdparty version

2. __HBase main repository changes__:

   - Update `<hbase-thirdparty.version>` to new version
   - Test compatibility with upgraded Netty

### __References__

- Netty Security Advisories: 
[](https://github.com/netty/netty/security/advisories)<https://github.com/netty/netty/security/advisories>
- CVE-2025-58057: 
[](https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj)<https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj>
- CVE-2025-55163: 
[](https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4)<https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4>
- HBase Thirdparty: 
[](https://github.com/apache/hbase-thirdparty)<https://github.com/apache/hbase-thirdparty>


> Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.
> -------------------------------------------------------------------
>
>                 Key: HBASE-29655
>                 URL: https://issues.apache.org/jira/browse/HBASE-29655
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Xavier Fernandis
>            Priority: Major
>
> *ISSUE SUMMARY*
> HBase master branch uses Netty 4.1.123.Final which contains 2 active CVEs 
> that require immediate attention.
> Both vulnerabilities are network-exploitable DoS attacks that could impact 
> production systems.
>  
> *CURRENT SITUATION*
> - Current Version: io.netty:netty-all:4.1.123.Final (used via 
> hbase-thirdparty 4.1.12)
> - Location: org.apache.hbase.thirdparty:hbase-shaded-netty
> - Vulnerabilities Found: 2 active CVEs
> - Risk Level: HIGH (network-exploitable DoS attacks)
>  
> *VULNERABILITY DETAILS*
> 1. {color:#FF0000}*CVE-2025-58057*{color} - Decompression DoS Attack
> - CVSS Score: 6.9 (Moderate)
> - Affected Versions: Netty <= 4.1.124.Final
> - Fixed Version: 4.1.125.Final
> - Reference: 
> https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
>  
> 2. *CVE-2025-55163* - MadeYouReset HTTP/2 DDoS
> - CVSS Score: Moderate
> - Affected Versions: netty-codec-http2 <= 4.1.123.Final  
> - Fixed Version: 4.1.124.Final
> - Attack Vector: Network-based HTTP/2 protocol vulnerability
> - Reference: 
> https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
>  
> *IMPACT ASSESSMENT*
> HBase uses netty-all which is a fat jar containing ALL Netty modules, 
> including:
> - netty-codec-http2 (vulnerable to CVE-2025-55163)
> - netty-codec with decompression codecs (vulnerable to CVE-2025-58057)
> *Dependency Chain:*
> HBase -> org.apache.hbase.thirdparty:hbase-shaded-netty -> 
> io.netty:netty-all:4.1.123.Final
> *RECOMMENDED SOLUTION*
> Immediate Action Required:
> 1. Upgrade Netty to 4.1.125.Final - This fixes both CVEs
> *REFERENCES*
> - Netty Security Advisories: 
> https://github.com/netty/netty/security/advisories
> - CVE-2025-58057: 
> https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
> - CVE-2025-55163: 
> https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
> - HBase Thirdparty: https://github.com/apache/hbase-thirdparty
> - HBase Main: https://github.com/apache/hbase
> - Similar Issue Reference: https://issues.apache.org/jira/browse/HBASE-29651
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)