[
https://issues.apache.org/jira/browse/NIFI-4432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883911#comment-16883911
]
Nathan Gough commented on NIFI-4432:
------------------------------------
The following netty-all versions need to be upgraded, however this would
require upgrading hadoop-hdfs, spark-core and hbase-client. This will require
careful testing as these processors are broadly used by NiFi users and would
likely require significant infrastructure changes for those users to maintain
compatibility.
{noformat}
[INFO] --------------< org.apache.nifi:nifi-parquet-processors >---------------
[INFO] Building nifi-parquet-processors 1.10.0-SNAPSHOT [368/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
nifi-parquet-processors ---
[INFO] org.apache.nifi:nifi-parquet-processors:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-client:jar:2.7.3:provided
[INFO] \- org.apache.hadoop:hadoop-hdfs:jar:2.7.3:provided
[INFO] \- io.netty:netty-all:jar:4.0.23.Final:provided
[INFO] ----------------< org.apache.nifi:nifi-spark-receiver >-----------------
[INFO] Building nifi-spark-receiver 1.10.0-SNAPSHOT [411/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
nifi-spark-receiver ---
[INFO] org.apache.nifi:nifi-spark-receiver:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.spark:spark-streaming_2.10:jar:1.6.0:provided
[INFO] \- org.apache.spark:spark-core_2.10:jar:1.6.0:provided
[INFO] \- io.netty:netty-all:jar:4.0.29.Final:provided
[INFO] ----------------< org.apache.nifi:nifi-hdfs-processors >----------------
[INFO] Building nifi-hdfs-processors 1.10.0-SNAPSHOT [73/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hdfs-processors ---
[INFO] org.apache.nifi:nifi-hdfs-processors:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-hdfs:jar:3.0.0:provided
[INFO] \- io.netty:netty-all:jar:4.0.23.Final:provided
[INFO] ----------< org.apache.nifi:nifi-hbase_1_1_2-client-service >-----------
[INFO] Building nifi-hbase_1_1_2-client-service 1.10.0-SNAPSHOT [125/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_1_1_2-client-service ---
[INFO] org.apache.nifi:nifi-hbase_1_1_2-client-service:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-client:jar:1.1.13:compile
[INFO] \- io.netty:netty-all:jar:4.0.23.Final:compile
[INFO] --------< org.apache.nifi:nifi-hbase_1_1_2-client-service-nar >---------
[INFO] Building nifi-hbase_1_1_2-client-service-nar 1.10.0-SNAPSHOT [126/435]
[INFO] --------------------------------[ nar ]---------------------------------
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_1_1_2-client-service-nar ---
[INFO] org.apache.nifi:nifi-hbase_1_1_2-client-service-nar:nar:1.10.0-SNAPSHOT
[INFO] \-
org.apache.nifi:nifi-hbase_1_1_2-client-service:jar:1.10.0-SNAPSHOT:compile
[INFO] \- org.apache.hbase:hbase-client:jar:1.1.13:compile
[INFO] \- io.netty:netty-all:jar:4.0.23.Final:compile
[INFO] ---------------< org.apache.nifi:nifi-flume-processors >----------------
[INFO] Building nifi-flume-processors 1.10.0-SNAPSHOT [199/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @
nifi-flume-processors ---
[INFO] org.apache.nifi:nifi-flume-processors:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-hdfs:jar:2.7.3:provided
[INFO] \- io.netty:netty-all:jar:4.0.23.Final:provided
{noformat}
> Upgrade version of netty-all due to DoS possibility
> ---------------------------------------------------
>
> Key: NIFI-4432
> URL: https://issues.apache.org/jira/browse/NIFI-4432
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: 1.4.0
> Reporter: Andy LoPresto
> Priority: Minor
> Labels: dependencies, netty, security
>
> As documented in
> [CVE-2016-4970|https://bugzilla.redhat.com/show_bug.cgi?id=1343616],
> {{netty-all}} < 4.0.37.Final is susceptible to a denial of service attack due
> to TLS renegotiation. While Apache NiFi does not directly reference
> {{OpenSslEngine}} in the code, usages of {{io.netty.netty-all}} should be
> upgraded.
> Current transitive dependencies containing {{netty-all}}:
> {code}
> {code}
> Current (absence of) direct usage of {{OpenSslEngine}}:
> {code}Targets
> Occurrences of 'netty' in Project with mask '*.java'
> Found Occurrences (29 usages found)
> Unclassified occurrence (29 usages found)
> nifi-couchbase-processors (4 usages found)
> org.apache.nifi.processors.couchbase (4 usages found)
> PutCouchbaseKey.java (2 usages found)
> 51 import
> com.couchbase.client.deps.io.netty.buffer.ByteBuf;
> 52 import
> com.couchbase.client.deps.io.netty.buffer.Unpooled;
> TestGetCouchbaseKey.java (2 usages found)
> 54 import
> com.couchbase.client.deps.io.netty.buffer.ByteBuf;
> 55 import
> com.couchbase.client.deps.io.netty.buffer.Unpooled;
> nifi-grpc-processors (25 usages found)
> org.apache.nifi.processors.grpc (25 usages found)
> InvokeGRPC.java (7 usages found)
> initializeClient(ProcessContext) (4 usages found)
> 234 final NettyChannelBuilder nettyChannelBuilder =
> NettyChannelBuilder.forAddress(host, port)
> 269
> nettyChannelBuilder.sslContext(sslContextBuilder.build());
> 272 nettyChannelBuilder.usePlaintext(true);
> 275 final ManagedChannel channel =
> nettyChannelBuilder.build();
> 62 import io.grpc.netty.GrpcSslContexts;
> 63 import io.grpc.netty.NettyChannelBuilder;
> 64 import io.netty.handler.ssl.SslContextBuilder;
> ListenGRPC.java (5 usages found)
> startServer(ProcessContext) (1 usage found)
> 185 NettyServerBuilder serverBuilder =
> NettyServerBuilder.forPort(port)
> 65 import io.grpc.netty.GrpcSslContexts;
> 66 import io.grpc.netty.NettyServerBuilder;
> 67 import io.netty.handler.ssl.ClientAuth;
> 68 import io.netty.handler.ssl.SslContextBuilder;
> TestGRPCClient.java (5 usages found)
> buildChannel(String, int, Map<String, String>) (1 usage
> found)
> 86 NettyChannelBuilder channelBuilder =
> NettyChannelBuilder.forAddress(host, port)
> 38 import io.grpc.netty.GrpcSslContexts;
> 39 import io.grpc.netty.NettyChannelBuilder;
> 40 import io.netty.handler.ssl.ClientAuth;
> 41 import io.netty.handler.ssl.SslContextBuilder;
> TestGRPCServer.java (7 usages found)
> start(int) (3 usages found)
> 90 final NettyServerBuilder nettyServerBuilder =
> NettyServerBuilder
> 131
> nettyServerBuilder.sslContext(sslContextBuilder.build());
> 134 server = nettyServerBuilder.build().start();
> 35 import io.grpc.netty.GrpcSslContexts;
> 36 import io.grpc.netty.NettyServerBuilder;
> 37 import io.netty.handler.ssl.ClientAuth;
> 38 import io.netty.handler.ssl.SslContextBuilder;
> TestInvokeGRPC.java (1 usage found)
> 33 import io.netty.handler.ssl.ClientAuth;
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
