[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1038779798 I merged this to the following branches: - master - branch-3.8.0 - branch-3.8 - branch-3.7 - branch-3.6 On branch 3.5 I don't see we use netty tcnative, at least we don't have it explicitely added in pom.xml. Howeverv, I see some other CVE errors on that branch. We will have to handle branch-3.5 with a separate Jira later (after the 3.8.0 release, when we prepare 3.5.10) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036195421 OK, I double-checked all the CVE errors detected by the latest OWASP 6.5.3. All of these are false positive. Also I checked the maven dependency tree to make sure we don't have any old netty/jetty/commons-io jars on the claspath). I think we are good to go. But I recommend to still update to the latest OWASP version in our project and also suppress these CVEs below. (let's hope OWASP will be fixed later to produce less false positives) - CVE-2021-43797 - fixed in netty 4.1.71 (we use 4.1.73) - CVE-2019-16869 - fixed in netty 4.1.42 (we use 4.1.73) - CVE-2015-2156 - fixed in netty 4.1.0 (we use 4.1.73) - CVE-2021-37136 - fixed in netty 4.1.68 (we use 4.1.73) - CVE-2014-3488 - fixed after netty 3.9.1 (we use 4.1.73) - CVE-2021-37137 - fixed in netty 4.1.68 (we use 4.1.73) - CVE-2019-20445 - fixed in netty 4.1.44 (we use 4.1.73) - CVE-2019-20444 - fixed in netty 4.1.44 (we use 4.1.73) - CVE-2021-21295 - fixed in netty 4.1.60 (we use 4.1.73) - CVE-2021-21409 - fixed in netty 4.1.61 (we use 4.1.73) - CVE-2021-21290 - fixed in netty 4.1.59 (we use 4.1.73) - CVE-2021-29425 - fixed in commons-io 2.7 (we use 2.11) - CVE-2021-28164 - fixed in jetty 9.4.39 (we use 9.4.43) - CVE-2021-34429 - fixed in jetty 9.4.42 (we use 9.4.43) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036176185 I tried again, purging my local CVE database this time before running the new OWASP check with latest OWASP 6.5.3. It still reports the same 11 netty and 3 other CVEs that I listed before. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036170324 I think the nicest would be to update to the latest OWASP, then go through the reported CVEs one-by-one to see if they are really false positives. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036169071 yeah... although even the latest OWASP version seems to find false positives: ``` [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290 [ERROR] zookeeper-jute-3.8.0-SNAPSHOT.jar: CVE-2021-29425, CVE-2021-28164, CVE-2021-34429 ``` Here e.g. CVE-2021-43797 should affect only netty prior to 4.1.71.Final and we already have 4.1.73.Final. See: https://nvd.nist.gov/vuln/detail/CVE-2021-43797 Interesting that OWASP 6.5.3 found some additional CVEs. (e.g. CVE-2021-29425, etc) These should be investigated too. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036141751 I checked the maven dependency tree, and we don't have any old netty on our class path. These CVEs should not have appeared. Maybe OWASP is mixing the netty-tcnative version with the regular netty version? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036133003 > I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes never mind, I see 2.0.48.Final is actually the latest netty-tcnative. In this case I don't understand why these old CVEs appeared now. How can we get e.g. this one: https://nvd.nist.gov/vuln/detail/CVE-2015-2156 This should not be reported for 4.1.73.Final and this has nothing to do with netty-tcnative, AFAICT Do we have some old netty on our classpath we should exclude? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [zookeeper] symat commented on pull request #1817: ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative
symat commented on pull request #1817: URL: https://github.com/apache/zookeeper/pull/1817#issuecomment-1036119664 Are we absolutely sure we can simply skip these checks for the netty-tcnative library? Isn't this something we use through netty when we do ClientTLS or QuorumTLS? I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes: ``` 4.1.73.Final 2.0.48.Final (...) io.netty netty-handler ${netty.version} io.netty netty-tcnative-classes io.netty netty-transport-native-epoll ${netty.version} io.netty netty-tcnative ${netty.tcnative.version} ``` Some of these CVEs are actually quite scary (many affecting only the https admin api interface, but some can affect regular QuorumSSL and ClientSSL interfaces too, AFAICT). I also don't really understand what the netty-tcnative-classes artifact is. It is not mentioned in the documentation I found about netty-tcnative: https://netty.io/wiki/forked-tomcat-native.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org