[jira] [Updated] (OAK-10591) Bump netty dependency from 4.1.96.Final to 4.1.104.Final

Thu, 04 Jan 2024 22:14:05 -0800 


     [ 
https://issues.apache.org/jira/browse/OAK-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rishabh Daim updated OAK-10591:
-------------------------------
    Fix Version/s: 1.22.19

> Bump netty dependency from 4.1.96.Final to 4.1.104.Final
> --------------------------------------------------------
>
>                 Key: OAK-10591
>                 URL: https://issues.apache.org/jira/browse/OAK-10591
>             Project: Jackrabbit Oak
>          Issue Type: Task
>          Components: segment-tar
>            Reporter: Andrei Dulceanu
>            Assignee: Andrei Dulceanu
>            Priority: Major
>              Labels: vulnerability
>             Fix For: 1.22.19, 1.62.0
>
>
> *File Matche(s):*
> /netty-common-4.1.96.Final.jar
> *Vulnerabilitie(s)*
> This artifact embeds Netty Project 4.1.96.Final which contains the following 
> vulnerabilitie(s):
> *BDSA-2023-2732/CVE-2023-44487* in version 4.1.96.Final (CVSS 7.5 High): The 
> HTTP/2 protocol contains a flaw related to the stream multiplexing feature 
> that can allow for excessive resource consumption on servers operating 
> implementations of the HTTP/2 protocol. The HTTP/2 protocol allows clients to 
> signal to a server to cancel a previously opened stream by sending an 
> `RST_STREAM` frame. Attackers can abuse this stream canceling ability by 
> opening a large number of streams at once immediately followed by 
> `RST_STREAM` frames. In most HTTP/2 implementations this bypasses concurrent 
> open stream limits and causes servers to spend processing time first handling 
> request frames and then performing stream tear downs. For the server, these 
> operations can pile up whereas the attacker client paid minuscule bandwidth 
> and processing costs. 
> [Amazon](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/), 
> [Cloudflare](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
>  and 
> [Google](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)
>  have reported that this vulnerability has been exploited in the wild from 
> August to October 2023. This vulnerability is listed as exploitable by the 
> Cybersecurity & Infrastructure Security Agency in their [Known Exploited 
> Vulnerabilities 
> Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to