[
https://issues.apache.org/jira/browse/FLUME-3115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075293#comment-16075293
]
Mike Percy commented on FLUME-3115:
-----------------------------------
The CVE says versions of Netty prior to 3.9.2 are vulnerable to a DoS attack
when using SslHandler. Curator is pulling in the old netty version. The version
that Flume depends on (looking at trunk) is 3.9.4 but it's possible that since
both are on the classpath either one may actually be being used.
Really, Curator and Flume should both probably be shading Netty.
Flume may be vulnerable to this DoS today because it uses SslHandler in a
couple of places:
{code}
$ ag -l SslHandler
flume-ng-core/src/main/java/org/apache/flume/source/AvroSource.java
flume-ng-core/src/test/java/org/apache/flume/source/TestAvroSource.java
flume-ng-core/src/test/java/org/apache/flume/sink/TestAvroSink.java
flume-ng-sdk/src/main/java/org/apache/flume/api/NettyAvroRpcClient.java
{code}
> Upgrade netty library dependency
> --------------------------------
>
> Key: FLUME-3115
> URL: https://issues.apache.org/jira/browse/FLUME-3115
> Project: Flume
> Issue Type: Bug
> Affects Versions: 1.7.0
> Reporter: Attila Simon
> Priority: Critical
> Labels: dependency
> Fix For: 1.8.0
>
>
> ||Group||Artifact||Version used||Upgrade target||
> |io.netty|netty|3.2.2.Final, 3.9.4.Final|4.1.12.Final|
> Note: This artifact was moved to:
> - New Group io.netty
> - New Artifact netty-all
> Security vulnerability: http://www.cvedetails.com/cve/CVE-2014-3488/
> Please do:
> - double check the newest version.
> - consider to remove a dependency if better alternative is available.
> - check whether the lib change would introduce a backward incompatibility (in
> which case please add this label `breaking_change` and fix version should be
> the next major)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
