[jira] [Updated] (HBASE-29655) Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.

Xavier Fernandis (Jira) Fri, 17 Oct 2025 21:27:13 -0700


     [ 
https://issues.apache.org/jira/browse/HBASE-29655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Xavier Fernandis updated HBASE-29655:
-------------------------------------
    Description: 
*ISSUE SUMMARY*
HBase master branch uses Netty 4.1.123.Final which contains 2 active CVEs that 
require immediate attention.
Both vulnerabilities are network-exploitable DoS attacks that could impact 
production systems.

 

*CURRENT SITUATION*
 - Current Version: io.netty:netty-all:4.1.123.Final (used via hbase-thirdparty 
4.1.12)
 - Location: org.apache.hbase.thirdparty:hbase-shaded-netty
 - Vulnerabilities Found: 2 active CVEs
 - Risk Level: HIGH (network-exploitable DoS attacks)

 

*VULNERABILITY DETAILS*

1. {color:#ff0000}*CVE-2025-58057*{color} - Decompression DoS Attack
 - CVSS Score: 6.9 (Moderate)
 - Affected Versions: Netty <= 4.1.124.Final
 - Fixed Version: 4.1.125.Final
 - Reference: 
[https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]

 

2. {color:#ff0000}*CVE-2025-55163*{color} - MadeYouReset HTTP/2 DDoS
 - CVSS Score: Moderate
 - Affected Versions: netty-codec-http2 <= 4.1.123.Final  
 - Fixed Version: 4.1.124.Final
 - Attack Vector: Network-based HTTP/2 protocol vulnerability
 - Reference: 
[https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]

 

*IMPACT ASSESSMENT*

HBase uses netty-all which is a fat jar containing ALL Netty modules, including:
 - netty-codec-http2 (vulnerable to CVE-2025-55163)
 - netty-codec with decompression codecs (vulnerable to CVE-2025-58057)

*Dependency Chain:*
HBase -> org.apache.hbase.thirdparty:hbase-shaded-netty -> 
io.netty:netty-all:4.1.123.Final

*RECOMMENDED SOLUTION*

Immediate Action Required:
1. Upgrade Netty to 4.1.125.Final - This fixes both CVEs

*REFERENCES*
 - Netty Security Advisories: 
[https://github.com/netty/netty/security/advisories]
 - CVE-2025-58057: 
[https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]
 - CVE-2025-55163: 
[https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]
 - HBase Thirdparty: [https://github.com/apache/hbase-thirdparty]
 - HBase Main: [https://github.com/apache/hbase]

 

  was:
*ISSUE SUMMARY*
HBase master branch uses Netty 4.1.123.Final which contains 2 active CVEs that 
require immediate attention.
Both vulnerabilities are network-exploitable DoS attacks that could impact 
production systems.

 

*CURRENT SITUATION*
 - Current Version: io.netty:netty-all:4.1.123.Final (used via hbase-thirdparty 
4.1.12)
 - Location: org.apache.hbase.thirdparty:hbase-shaded-netty
 - Vulnerabilities Found: 2 active CVEs
 - Risk Level: HIGH (network-exploitable DoS attacks)

 

*VULNERABILITY DETAILS*

1. {color:#ff0000}*CVE-2025-58057*{color} - Decompression DoS Attack
 - CVSS Score: 6.9 (Moderate)
 - Affected Versions: Netty <= 4.1.124.Final
 - Fixed Version: 4.1.125.Final
 - Reference: 
[https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]

 

2. {color:#FF0000}*CVE-2025-55163*{color} - MadeYouReset HTTP/2 DDoS
 - CVSS Score: Moderate
 - Affected Versions: netty-codec-http2 <= 4.1.123.Final  
 - Fixed Version: 4.1.124.Final
 - Attack Vector: Network-based HTTP/2 protocol vulnerability
 - Reference: 
[https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]

 

*IMPACT ASSESSMENT*

HBase uses netty-all which is a fat jar containing ALL Netty modules, including:
 - netty-codec-http2 (vulnerable to CVE-2025-55163)
 - netty-codec with decompression codecs (vulnerable to CVE-2025-58057)

*Dependency Chain:*
HBase -> org.apache.hbase.thirdparty:hbase-shaded-netty -> 
io.netty:netty-all:4.1.123.Final

*RECOMMENDED SOLUTION*

Immediate Action Required:
1. Upgrade Netty to 4.1.125.Final - This fixes both CVEs

*REFERENCES*
 - Netty Security Advisories: 
[https://github.com/netty/netty/security/advisories]
 - CVE-2025-58057: 
[https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]
 - CVE-2025-55163: 
[https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]
 - HBase Thirdparty: [https://github.com/apache/hbase-thirdparty]
 - HBase Main: [https://github.com/apache/hbase]
 - Similar Issue Reference: https://issues.apache.org/jira/browse/HBASE-29651

 


> Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.
> -------------------------------------------------------------------
>
>                 Key: HBASE-29655
>                 URL: https://issues.apache.org/jira/browse/HBASE-29655
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Xavier Fernandis
>            Assignee: Xavier Fernandis
>            Priority: Major
>
> *ISSUE SUMMARY*
> HBase master branch uses Netty 4.1.123.Final which contains 2 active CVEs 
> that require immediate attention.
> Both vulnerabilities are network-exploitable DoS attacks that could impact 
> production systems.
>  
> *CURRENT SITUATION*
>  - Current Version: io.netty:netty-all:4.1.123.Final (used via 
> hbase-thirdparty 4.1.12)
>  - Location: org.apache.hbase.thirdparty:hbase-shaded-netty
>  - Vulnerabilities Found: 2 active CVEs
>  - Risk Level: HIGH (network-exploitable DoS attacks)
>  
> *VULNERABILITY DETAILS*
> 1. {color:#ff0000}*CVE-2025-58057*{color} - Decompression DoS Attack
>  - CVSS Score: 6.9 (Moderate)
>  - Affected Versions: Netty <= 4.1.124.Final
>  - Fixed Version: 4.1.125.Final
>  - Reference: 
> [https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]
>  
> 2. {color:#ff0000}*CVE-2025-55163*{color} - MadeYouReset HTTP/2 DDoS
>  - CVSS Score: Moderate
>  - Affected Versions: netty-codec-http2 <= 4.1.123.Final  
>  - Fixed Version: 4.1.124.Final
>  - Attack Vector: Network-based HTTP/2 protocol vulnerability
>  - Reference: 
> [https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]
>  
> *IMPACT ASSESSMENT*
> HBase uses netty-all which is a fat jar containing ALL Netty modules, 
> including:
>  - netty-codec-http2 (vulnerable to CVE-2025-55163)
>  - netty-codec with decompression codecs (vulnerable to CVE-2025-58057)
> *Dependency Chain:*
> HBase -> org.apache.hbase.thirdparty:hbase-shaded-netty -> 
> io.netty:netty-all:4.1.123.Final
> *RECOMMENDED SOLUTION*
> Immediate Action Required:
> 1. Upgrade Netty to 4.1.125.Final - This fixes both CVEs
> *REFERENCES*
>  - Netty Security Advisories: 
> [https://github.com/netty/netty/security/advisories]
>  - CVE-2025-58057: 
> [https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj]
>  - CVE-2025-55163: 
> [https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4]
>  - HBase Thirdparty: [https://github.com/apache/hbase-thirdparty]
>  - HBase Main: [https://github.com/apache/hbase]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (HBASE-29655) Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.

Reply via email to