[
https://issues.apache.org/jira/browse/OAK-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrei Dulceanu updated OAK-10591:
----------------------------------
Description:
*File Matche(s):*
/netty-common-4.1.96.Final.jar
*Vulnerabilitie(s)*
This artifact embeds Netty Project 4.1.96.Final which contains the following
vulnerabilitie(s):
*BDSA-2023-2732/CVE-2023-44487* in version 4.1.96.Final (CVSS 7.5 High): The
HTTP/2 protocol contains a flaw related to the stream multiplexing feature that
can allow for excessive resource consumption on servers operating
implementations of the HTTP/2 protocol. The HTTP/2 protocol allows clients to
signal to a server to cancel a previously opened stream by sending an
`RST_STREAM` frame. Attackers can abuse this stream canceling ability by
opening a large number of streams at once immediately followed by `RST_STREAM`
frames. In most HTTP/2 implementations this bypasses concurrent open stream
limits and causes servers to spend processing time first handling request
frames and then performing stream tear downs. For the server, these operations
can pile up whereas the attacker client paid minuscule bandwidth and processing
costs.
[Amazon](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/),
[Cloudflare](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
and
[Google](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)
have reported that this vulnerability has been exploited in the wild from
August to October 2023. This vulnerability is listed as exploitable by the
Cybersecurity & Infrastructure Security Agency in their [Known Exploited
Vulnerabilities
Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
was:
io.netty : netty-codec : 4.1.52.Final sonatype-2021-0789
*Summary*:
sonatype-2021-0789
Explanation
The netty-codec package contains a Buffer Overflow vulnerability. The
finishEncode function in the Lz4FrameEncoder.class class incorrectly estimates
the buffer size when writing a footer for the last header. An attacker could
abuse this behavior by sending a payload to the flawed application that will
overwrite contiguous memory chunks in the heap, resulting in a Denial of
Service (DoS) condition or other unintended behavior.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable
to this specific issue.
Note: If this component is included as a bundled/transitive dependency of
another component, there may not be an upgrade path. In this instance, we
recommend contacting the maintainers who included the vulnerable package.
Alternatively, we recommend investigating alternative components or a potential
mitigating control.
Root Cause
netty-codec-4.1.52.Final.jar <=
io/netty/handler/codec/compression/Lz4FrameEncoder.class:[4.1.0.Beta2 ,
4.1.66.Final)
Advisories
Project:
[https://github.com/netty/netty/pull/11429]
> Bump netty dependency from 4.1.96.Final to 4.1.104.Final
> --------------------------------------------------------
>
> Key: OAK-10591
> URL: https://issues.apache.org/jira/browse/OAK-10591
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: segment-tar
> Reporter: Andrei Dulceanu
> Assignee: Andrei Dulceanu
> Priority: Major
> Labels: vulnerability
> Fix For: 1.62.0
>
>
> *File Matche(s):*
> /netty-common-4.1.96.Final.jar
> *Vulnerabilitie(s)*
> This artifact embeds Netty Project 4.1.96.Final which contains the following
> vulnerabilitie(s):
> *BDSA-2023-2732/CVE-2023-44487* in version 4.1.96.Final (CVSS 7.5 High): The
> HTTP/2 protocol contains a flaw related to the stream multiplexing feature
> that can allow for excessive resource consumption on servers operating
> implementations of the HTTP/2 protocol. The HTTP/2 protocol allows clients to
> signal to a server to cancel a previously opened stream by sending an
> `RST_STREAM` frame. Attackers can abuse this stream canceling ability by
> opening a large number of streams at once immediately followed by
> `RST_STREAM` frames. In most HTTP/2 implementations this bypasses concurrent
> open stream limits and causes servers to spend processing time first handling
> request frames and then performing stream tear downs. For the server, these
> operations can pile up whereas the attacker client paid minuscule bandwidth
> and processing costs.
> [Amazon](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/),
> [Cloudflare](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
> and
> [Google](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)
> have reported that this vulnerability has been exploited in the wild from
> August to October 2023. This vulnerability is listed as exploitable by the
> Cybersecurity & Infrastructure Security Agency in their [Known Exploited
> Vulnerabilities
> Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
