[
https://issues.apache.org/jira/browse/ZOOKEEPER-4405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475112#comment-17475112
]
wcmrnd1 commented on ZOOKEEPER-4405:
------------------------------------
ZooKeeper may please be updated to use netty-4.1.72.Final.
> High Security issues reported with Netty library bundled in ZooKeeper 3.6.3
> and 3.7
> ------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4405
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.6.3, 3.7.0
> Reporter: WCM RnD
> Priority: Critical
>
> Netty library used in ZooKeeper has the below high security vulnerabilities
> reported.
> h2. BDSA-2021-2832
> *Affected Component(s):* Netty Project
> *Vulnerability Published:* 2021-09-23 06:15 EDT
> *Vulnerability Updated:* 2021-09-23 06:15 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
> *Summary*: Netty is vulnerable to excessive memory usage due to being unable
> to set size restrictions on decompressed data input. An attacker could
> exploit this by supplying crafted input in order to cause a denial-of-service
> (DoS).
> *Solution*: Fixed in version netty-4.1.68.Final
>
> h2. BDSA-2021-2831
> *Affected Component(s):* Netty Project
> *Vulnerability Published:* 2021-09-22 07:35 EDT
> *Vulnerability Updated:* 2021-09-22 07:35 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
> *Summary*: Netty is susceptible to excessive memory usage due to missing
> chunk length restrictions and the potential buffering of reserved skippable
> chunks until the complete chunk has been received. An attacker could exploit
> this by supplying crafted input in order to cause a denial-of-service (DoS).
> *Solution*: Fixed in version netty-4.1.68.Final
>
> Request to update the library to netty-4.1.68.Final where the vulnerability
> is fixed.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
