Patrick D. Hunt created ZOOKEEPER-3794:
------------------------------------------
Summary: upgrade netty to address CVE-2020-11612
Key: ZOOKEEPER-3794
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3794
Project: ZooKeeper
Issue Type: Task
Components: security
Reporter: Patrick D. Hunt
The owasp checker is failing with the following. I looked and seems like a DOS
attack vector "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for
unbounded memory allocation while decoding a ZlibEncoded byte stream. An
attacker could send a large ZlibEncoded byte stream to the Netty server,
forcing the server to allocate all of its free memory to a single decoder."
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check
(default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have
a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] netty-handler-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-common-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-buffer-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-transport-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-resolver-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-codec-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-transport-native-epoll-4.1.45.Final.jar: CVE-2020-11612
[ERROR] netty-transport-native-unix-common-4.1.45.Final.jar: CVE-2020-11612
[ERROR]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
