Andy LoPresto created NIFI-4432:
-----------------------------------
Summary: Upgrade version of netty-all due to DoS possibility
Key: NIFI-4432
URL: https://issues.apache.org/jira/browse/NIFI-4432
Project: Apache NiFi
Issue Type: Improvement
Components: Extensions
Affects Versions: 1.4.0
Reporter: Andy LoPresto
Priority: Minor
As documented in
[CVE-2016-4970|https://bugzilla.redhat.com/show_bug.cgi?id=1343616],
{{netty-all}} < 4.0.37.Final is susceptible to a denial of service attack due
to TLS renegotiation. While Apache NiFi does not directly reference
{{OpenSslEngine}} in the code, usages of {{io.netty.netty-all}} should be
upgraded.
Current transitive dependencies containing {{netty-all}}:
{code}
{code}
Current (absence of) direct usage of {{OpenSslEngine}}:
{code}Targets
Occurrences of 'netty' in Project with mask '*.java'
Found Occurrences (29 usages found)
Unclassified occurrence (29 usages found)
nifi-couchbase-processors (4 usages found)
org.apache.nifi.processors.couchbase (4 usages found)
PutCouchbaseKey.java (2 usages found)
51 import com.couchbase.client.deps.io.netty.buffer.ByteBuf;
52 import
com.couchbase.client.deps.io.netty.buffer.Unpooled;
TestGetCouchbaseKey.java (2 usages found)
54 import com.couchbase.client.deps.io.netty.buffer.ByteBuf;
55 import
com.couchbase.client.deps.io.netty.buffer.Unpooled;
nifi-grpc-processors (25 usages found)
org.apache.nifi.processors.grpc (25 usages found)
InvokeGRPC.java (7 usages found)
initializeClient(ProcessContext) (4 usages found)
234 final NettyChannelBuilder nettyChannelBuilder =
NettyChannelBuilder.forAddress(host, port)
269
nettyChannelBuilder.sslContext(sslContextBuilder.build());
272 nettyChannelBuilder.usePlaintext(true);
275 final ManagedChannel channel =
nettyChannelBuilder.build();
62 import io.grpc.netty.GrpcSslContexts;
63 import io.grpc.netty.NettyChannelBuilder;
64 import io.netty.handler.ssl.SslContextBuilder;
ListenGRPC.java (5 usages found)
startServer(ProcessContext) (1 usage found)
185 NettyServerBuilder serverBuilder =
NettyServerBuilder.forPort(port)
65 import io.grpc.netty.GrpcSslContexts;
66 import io.grpc.netty.NettyServerBuilder;
67 import io.netty.handler.ssl.ClientAuth;
68 import io.netty.handler.ssl.SslContextBuilder;
TestGRPCClient.java (5 usages found)
buildChannel(String, int, Map<String, String>) (1 usage
found)
86 NettyChannelBuilder channelBuilder =
NettyChannelBuilder.forAddress(host, port)
38 import io.grpc.netty.GrpcSslContexts;
39 import io.grpc.netty.NettyChannelBuilder;
40 import io.netty.handler.ssl.ClientAuth;
41 import io.netty.handler.ssl.SslContextBuilder;
TestGRPCServer.java (7 usages found)
start(int) (3 usages found)
90 final NettyServerBuilder nettyServerBuilder =
NettyServerBuilder
131
nettyServerBuilder.sslContext(sslContextBuilder.build());
134 server = nettyServerBuilder.build().start();
35 import io.grpc.netty.GrpcSslContexts;
36 import io.grpc.netty.NettyServerBuilder;
37 import io.netty.handler.ssl.ClientAuth;
38 import io.netty.handler.ssl.SslContextBuilder;
TestInvokeGRPC.java (1 usage found)
33 import io.netty.handler.ssl.ClientAuth;
{code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
