[ https://issues.apache.org/jira/browse/OAK-9539?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nitin Gupta closed OAK-9539. ---------------------------- > Bump netty dependency from 4.1.52.Final to 4.1.66.Final > ------------------------------------------------------- > > Key: OAK-9539 > URL: https://issues.apache.org/jira/browse/OAK-9539 > Project: Jackrabbit Oak > Issue Type: Task > Components: segment-tar > Reporter: Arun Kumar Ram > Assignee: Andrei Dulceanu > Priority: Major > Labels: vulnerability > Fix For: 1.42.0, 1.22.9 > > > io.netty : netty-codec : 4.1.52.Final sonatype-2021-0789 > *Summary*: > sonatype-2021-0789 > Explanation > The netty-codec package contains a Buffer Overflow vulnerability. The > finishEncode function in the Lz4FrameEncoder.class class incorrectly > estimates the buffer size when writing a footer for the last header. An > attacker could abuse this behavior by sending a payload to the flawed > application that will overwrite contiguous memory chunks in the heap, > resulting in a Denial of Service (DoS) condition or other unintended behavior. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Note: If this component is included as a bundled/transitive dependency of > another component, there may not be an upgrade path. In this instance, we > recommend contacting the maintainers who included the vulnerable package. > Alternatively, we recommend investigating alternative components or a > potential mitigating control. > Root Cause > netty-codec-4.1.52.Final.jar <= > io/netty/handler/codec/compression/Lz4FrameEncoder.class:[4.1.0.Beta2 , > 4.1.66.Final) > Advisories > Project: > [https://github.com/netty/netty/pull/11429] -- This message was sent by Atlassian Jira (v8.3.4#803005)