CVEDetect opened a new issue #1993: URL: https://github.com/apache/shardingsphere-elasticjob/issues/1993
Hi, In **shardingsphere-elasticjob/elasticjob-cloud/elasticjob-cloud-scheduler**,there is a dependency **io.netty:netty-common:4.1.45.Final** that calls the risk method. [CVE-2021-21290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290) The scope of this CVE affected version is **[4.0.0.Final, 4.1.59.Final)** After further analysis, in this project, the main Api called is **<io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>** Risk method repair link : [GitHub](https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec) **CVE Bug Invocation Path--** **Path Length : 8** ``` <io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)> at <io.netty.channel.epoll.Native: void loadNativeLibrary()> (io.netty.channel.epoll.Native.java:[231, 234]) in /.m2/repository/io/netty/netty-transport-native-epoll/4.1.45.Final/netty-transport-native-epoll-4.1.45.Final.jar at <io.netty.channel.epoll.Native: void <clinit>()> (io.netty.channel.epoll.Native.java:[58]) in /.m2/repository/io/netty/netty-transport-native-epoll/4.1.45.Final/netty-transport-native-epoll-4.1.45.Final.jar at <io.netty.channel.epoll.EpollEventLoop: void wakeup(boolean)> (io.netty.channel.epoll.EpollEventLoop.java:[186]) in /.m2/repository/io/netty/netty-transport-native-epoll/4.1.45.Final/netty-transport-native-epoll-4.1.45.Final.jar at <io.netty.util.concurrent.SingleThreadEventExecutor: io.netty.util.concurrent.Future shutdownGracefully(long,long,java.util.concurrent.TimeUnit)> (io.netty.util.concurrent.SingleThreadEventExecutor.java:[670]) in /.m2/repository/io/netty/netty-common/4.1.45.Final/netty-common-4.1.45.Final.jar at <io.netty.util.concurrent.AbstractEventExecutor: io.netty.util.concurrent.Future shutdownGracefully()> (io.netty.util.concurrent.AbstractEventExecutor.java:[73]) in /.m2/repository/io/netty/netty-common/4.1.45.Final/netty-common-4.1.45.Final.jar at <org.apache.shardingsphere.elasticjob.restful.NettyRestfulService: void shutdown()> (org.apache.shardingsphere.elasticjob.restful.NettyRestfulService.java:[80, 79]) in /.m2/repository/org/apache/shardingsphere/elasticjob/elasticjob-restful/3.0.0/elasticjob-restful-3.0.0.jar at <org.apache.shardingsphere.elasticjob.cloud.console.ConsoleBootstrap: void stop()> (org.apache.shardingsphere.elasticjob.cloud.console.ConsoleBootstrap.java:[63]) in /detect/unzip/shardingsphere-elasticjob-3.0.0/elasticjob-cloud/elasticjob-cloud-scheduler/target/classes ``` **Dependency tree--** ``` [INFO] org.apache.shardingsphere.elasticjob:elasticjob-cloud-scheduler:jar:3.0.0 [INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-cloud-common:jar:3.0.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-api:jar:3.0.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-infra-common:jar:3.0.0:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.26:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-simple-executor:jar:3.0.0:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-executor-kernel:jar:3.0.0:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-general:jar:3.0.0:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-spi:jar:3.0.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-dataflow-executor:jar:3.0.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-script-executor:jar:3.0.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-http-executor:jar:3.0.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-registry-center:jar:3.0.0:compile [INFO] | | +- org.apache.curator:curator-framework:jar:5.1.0:compile [INFO] | | +- org.apache.curator:curator-client:jar:5.1.0:compile [INFO] | | \- org.apache.curator:curator-recipes:jar:5.1.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-tracing-rdb:jar:3.0.0:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-tracing-api:jar:3.0.0:compile [INFO] | +- com.google.code.gson:gson:jar:2.6.1:compile [INFO] | +- org.quartz-scheduler:quartz:jar:2.3.2:compile [INFO] | | +- com.mchange:mchange-commons-java:jar:0.2.15:compile [INFO] | | \- com.zaxxer:HikariCP-java7:jar:2.4.13:compile [INFO] | \- org.apache.commons:commons-exec:jar:1.3:compile [INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-restful:jar:3.0.0:compile [INFO] | +- io.netty:netty-codec-http:jar:4.1.45.Final:compile [INFO] | | +- io.netty:netty-buffer:jar:4.1.45.Final:compile [INFO] | | \- io.netty:netty-handler:jar:4.1.45.Final:compile [INFO] | +- io.netty:netty-common:jar:4.1.45.Final:compile [INFO] | +- io.netty:netty-codec:jar:4.1.45.Final:compile [INFO] | \- io.netty:netty-transport:jar:4.1.45.Final:compile [INFO] | \- io.netty:netty-resolver:jar:4.1.45.Final:compile [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile [INFO] | \- commons-logging:commons-logging:jar:1.2:compile [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile [INFO] +- org.apache.commons:commons-lang3:jar:3.4:compile [INFO] +- commons-codec:commons-codec:jar:1.10:compile [INFO] +- com.google.guava:guava:jar:29.0-jre:compile [INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | +- org.checkerframework:checker-qual:jar:2.11.1:compile [INFO] | \- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile [INFO] +- org.apache.mesos:mesos:jar:1.1.0:compile [INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.1:compile [INFO] +- com.netflix.fenzo:fenzo-core:jar:0.11.1:compile [INFO] | \- com.fasterxml.jackson.core:jackson-databind:jar:2.4.5:runtime [INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.4.0:runtime [INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.4.5:runtime [INFO] +- org.apache.commons:commons-dbcp2:jar:2.7.0:compile [INFO] | \- org.apache.commons:commons-pool2:jar:2.8.1:compile [INFO] +- org.slf4j:slf4j-api:jar:1.7.7:compile [INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.7:compile [INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile [INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] +- org.projectlombok:lombok:jar:1.18.12:provided [INFO] | +- org.apache.zookeeper:zookeeper:jar:3.6.0:compile [INFO] | | +- commons-lang:commons-lang:jar:2.6:compile [INFO] | | +- org.apache.zookeeper:zookeeper-jute:jar:3.6.0:compile [INFO] | | +- org.apache.yetus:audience-annotations:jar:0.5.0:compile [INFO] | | +- io.netty:netty-transport-native-epoll:jar:4.1.45.Final:compile [INFO] | | | \- io.netty:netty-transport-native-unix-common:jar:4.1.45.Final:compile [INFO] | | \- log4j:log4j:jar:1.2.17:compile ``` **_Suggested solutions:_** Update dependency version Thank you very much. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
