[
https://issues.apache.org/jira/browse/JAMES-3567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17328025#comment-17328025
]
Benoit Tellier edited comment on JAMES-3567 at 4/22/21, 11:31 AM:
------------------------------------------------------------------
Hello, thanks for the report.
Netty upgrade for SmTP/IMAP stacks is a long lasting topics on which
contributions would be welcomed.
netty-3.10.6.Final.jar is only used for IMAP and SMTP and thus is not impacted
by CVE on HTTP
netty 4.1.53 is used by our S3 driver, we should likely consider an upgrade.
jgroups is bringed in by Apache ActiveMQ Artemis. Please do open a ticket to
warn them as well.
A mitigation for James regarding JGroup would be:
- to see if an artemis upgrade solves the issue. Edit: an artemis update would
not solve it...
- and remove the depedency to ActiveMQ by better organising the guice modules
and their dependencies.
Finally there is a standard process to discuss possible security problems
@apache (cf https://www.apache.org/security/)
was (Author: btellier):
Hello, thanks for the report.
Netty upgrade for SmTP/IMAP stacks is a long lasting topics on which
contributions would be welcomed.
netty-3.10.6.Final.jar is only used for IMAP and SMTP and thus is not impacted
by CVE on HTTP
netty 4.1.53 is used by our S3 driver, we should likely consider an upgrade.
jgroups is bringed in by Apache ActiveMQ Artemis. Please do open a ticket to
warn them as well.
A mitigation for James regarding JGroup would be:
- to see if an artemis upgrade solves the issue.
- and remove the depedency to ActiveMQ by better organising the guice modules
and their dependencies.
Finally there is a standard process to discuss possible security problems
@apache (cf https://www.apache.org/security/)
> Apache James 3.6 has Critical Vulnerability in dependent libs
> -------------------------------------------------------------
>
> Key: JAMES-3567
> URL: https://issues.apache.org/jira/browse/JAMES-3567
> Project: James Server
> Issue Type: Improvement
> Components: James Core
> Affects Versions: 3.6.0
> Environment: Docker Image: - apache/james:distributed-3.6.0
> Reporter: Rikin Patel
> Priority: Major
> Labels: vulnerability
>
> /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length
> header to be accompanied by a second Content-Length header, or by a
> Transfer-Encoding header
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header
> that lacks a colon, which might be interpreted as a separate header with an
> incorrect syntax, or might be interpreted as an "invalid fold.". Impacted
> Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
> /root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
> -> JGroups before 4.0 does not require the proper headers for the
> ENCRYPT and AUTH protocols from nodes joining the cluster, which allows
> remote attackers to bypass security restrictions and send and receive
> messages within the cluster via unspecified vectors..
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
