[jira] [Created] (HBASE-29655) Bumping up the netty version in Hbase-thrid party to 4.1.125.Final.

Sun, 12 Oct 2025 09:20:15 -0700 

Xavier Fernandis created HBASE-29655:
----------------------------------------

             Summary: Bumping up the netty version in Hbase-thrid party to 
4.1.125.Final.
                 Key: HBASE-29655
                 URL: https://issues.apache.org/jira/browse/HBASE-29655
             Project: HBase
          Issue Type: Bug
            Reporter: Xavier Fernandis


### __Current Situation__

- __Current Version__: `io.netty:netty-all:4.1.123.Final` (used via 
hbase-thirdparty)
- __Vulnerabilities Found__: 2 active CVEs
- __Risk Level__: HIGH (network-exploitable DoS attacks)

### __CVE Details__

#### __1. CVE-2025-58057 - Decompression DoS Attack__

- __CVSS Score__: 6.9 (Moderate)
- __Affected Versions__: Netty <= 4.1.124.Final
- __Fixed Version__: 4.1.125.Final
- __Attack Vector__: Network-based, no authentication required
- __Impact__: Denial of Service via zip bomb style attack in BrotliDecoder and 
other decompression codecs
- __Reference__: 
[](https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj)<https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj>

#### __2. CVE-2025-55163 - MadeYouReset HTTP/2 DDoS__

- __CVSS Score__: Moderate
- __Affected Versions__: netty-codec-http2 <= 4.1.123.Final
- __Fixed Version__: 4.1.124.Final
- __Attack Vector__: Network-based HTTP/2 protocol vulnerability
- __Impact__: Allows unbounded concurrent streams leading to resource exhaustion
- __Reference__: 
[](https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4)<https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4>

### __Why HBase is Affected__

HBase uses `netty-all` which is a fat jar containing ALL Netty modules, 
including:

- `netty-codec-http2` (vulnerable to CVE-2025-55163)
- `netty-codec` with decompression codecs (vulnerable to CVE-2025-58057)

### __Fix Recommendations__

#### __Immediate Action Required__

1. __Upgrade Netty to 4.1.125.Final__ - This fixes both CVEs

2. __Two-step upgrade process required__:

   - First: Update hbase-thirdparty repository
   - Second: Update main HBase to use new hbase-thirdparty version

#### __Technical Implementation__

1. __hbase-thirdparty changes__:

   - Repository: 
[](https://github.com/apache/hbase-thirdparty)<https://github.com/apache/hbase-thirdparty>
   - Update `${netty.version}` property to `4.1.125.Final`
   - Release new hbase-thirdparty version

2. __HBase main repository changes__:

   - Update `<hbase-thirdparty.version>` to new version
   - Test compatibility with upgraded Netty

### __References__

- Netty Security Advisories: 
[](https://github.com/netty/netty/security/advisories)<https://github.com/netty/netty/security/advisories>
- CVE-2025-58057: 
[](https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj)<https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj>
- CVE-2025-55163: 
[](https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4)<https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4>
- HBase Thirdparty: 
[](https://github.com/apache/hbase-thirdparty)<https://github.com/apache/hbase-thirdparty>



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to