rmoff opened a new issue, #16286: URL: https://github.com/apache/iceberg/issues/16286
## Summary The Kafka Connect runtime distribution bundles several `io.netty` jars at versions affected by **six HIGH-severity CVEs** (five distinct CVE IDs; CVE-2026-42587 affects two jars). All findings share the same root cause — netty is pulled in transitively, not declared directly by Iceberg — and are fixed by the same upstream release line. They are reported as a single issue because a single dependency bump (or constraint) will resolve all of them. | CVE | Title | Affected jar (bundled version) | Fixed in | |---|---|---|---| | [CVE-2026-42583](https://www.tenable.com/cve/CVE-2026-42583) | Netty `Lz4FrameDecoder` resource exhaustion | `io.netty:netty-codec` (`4.1.132.Final`) | `4.1.133.Final` | | [CVE-2026-42579](https://www.tenable.com/cve/CVE-2026-42579) | Netty DNS Codec Input Validation Bypass (encoder + decoder) | `io.netty:netty-codec-dns` (`4.1.128.Final`) | `4.1.133.Final`, `4.2.13.Final` | | [CVE-2026-42584](https://www.tenable.com/cve/CVE-2026-42584) | Netty `HttpClientCodec` response desynchronization | `io.netty:netty-codec-http` (`4.1.132.Final`) | `4.1.133.Final`, `4.2.13.Final` | | [CVE-2026-42587](https://www.tenable.com/cve/CVE-2026-42587) | Netty `HttpContentDecompressor` `maxAllocation` bypass (br/zstd/snappy decompression-bomb DoS) | `io.netty:netty-codec-http` (`4.1.132.Final`) | `4.1.133.Final`, `4.2.13.Final` | | [CVE-2026-42587](https://www.tenable.com/cve/CVE-2026-42587) | (as above) | `io.netty:netty-codec-http2` (`4.1.132.Final`) | `4.1.133.Final`, `4.2.13.Final` | | [CVE-2026-42577](https://www.tenable.com/cve/CVE-2026-42577) | Netty epoll transport DoS via RST on half-closed TCP connection | `io.netty:netty-transport-native-epoll` (`4.1.130.Final`) | `4.2.13.Final` | Netty `4.1.133.Final` and `4.2.13.Final` were both released on 2026-05-04 and are available on Maven Central. ## Reproducing Build the Kafka Connect runtime distribution and scan with Trivy: ```bash # Build from main ./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip -x test -x integrationTest # Unzip the distribution unzip -q kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip -d /tmp/iceberg-kc-scan # Scan with Trivy (use rootfs mode for standalone JAR detection) trivy rootfs /tmp/iceberg-kc-scan/iceberg-kafka-connect-runtime-*/lib/ -s HIGH,CRITICAL --scanners vuln ``` These findings are also reported by the Kafka Connect CVE Scan workflow added in [#15430](https://github.com/apache/iceberg/pull/15430); see, for example, [this run](https://github.com/apache/iceberg/actions/runs/25673357835/job/75364306106?pr=15430). > [!NOTE] > This analysis was performed with the assistance of Claude Opus 4.7 (Anthropic). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
