[
https://issues.apache.org/jira/browse/ZOOKEEPER-3794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Patrick D. Hunt reassigned ZOOKEEPER-3794:
------------------------------------------
Assignee: Patrick D. Hunt
> upgrade netty to address CVE-2020-11612
> ---------------------------------------
>
> Key: ZOOKEEPER-3794
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3794
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Reporter: Patrick D. Hunt
> Assignee: Patrick D. Hunt
> Priority: Blocker
>
> The owasp checker is failing with the following. I looked and seems like a
> DOS attack vector "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for
> unbounded memory allocation while decoding a ZlibEncoded byte stream. An
> attacker could send a large ZlibEncoded byte stream to the Netty server,
> forcing the server to allocate all of its free memory to a single decoder."
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check
> (default-cli) on project zookeeper:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '0.0':
> [ERROR]
> [ERROR] netty-handler-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-common-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-buffer-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-resolver-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-codec-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-native-epoll-4.1.45.Final.jar: CVE-2020-11612
> [ERROR] netty-transport-native-unix-common-4.1.45.Final.jar: CVE-2020-11612
> [ERROR]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
