[
https://issues.apache.org/jira/browse/CASSANDRA-21116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18051763#comment-18051763
]
Kapil Shewate commented on CASSANDRA-21116:
-------------------------------------------
apache-cassandra/lib/netty-all-4.1.119.Final.jar
Is Cassandra 5.0.4 vulnerable , will the netty jars be upgraded to higher
versions in future releases of Cassandra
> CVE-2025-55163 Reported by BlackDuck scan in Cassandra 5.0.4
> ------------------------------------------------------------
>
> Key: CASSANDRA-21116
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21116
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: Kapil Shewate
> Priority: Normal
>
> CVE-2025-55163
> Netty is an asynchronous, event-driven network application framework. Prior
> to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to
> MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol,
> that uses malformed HTTP/2 control frames in order to break the max
> concurrent streams limit - which results in resource exhaustion and
> distributed denial of service. This issue has been patched in versions
> 4.1.124.Final and 4.2.4.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
