Andrei Dulceanu created OAK-10591:
-------------------------------------
Summary: CLONE - Bump netty dependency from 4.1.52.Final to
4.1.66.Final
Key: OAK-10591
URL: https://issues.apache.org/jira/browse/OAK-10591
Project: Jackrabbit Oak
Issue Type: Task
Components: segment-tar
Reporter: Arun Kumar Ram
Assignee: Andrei Dulceanu
Fix For: 1.42.0, 1.22.9
io.netty : netty-codec : 4.1.52.Final sonatype-2021-0789
*Summary*:
sonatype-2021-0789
Explanation
The netty-codec package contains a Buffer Overflow vulnerability. The
finishEncode function in the Lz4FrameEncoder.class class incorrectly estimates
the buffer size when writing a footer for the last header. An attacker could
abuse this behavior by sending a payload to the flawed application that will
overwrite contiguous memory chunks in the heap, resulting in a Denial of
Service (DoS) condition or other unintended behavior.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable
to this specific issue.
Note: If this component is included as a bundled/transitive dependency of
another component, there may not be an upgrade path. In this instance, we
recommend contacting the maintainers who included the vulnerable package.
Alternatively, we recommend investigating alternative components or a potential
mitigating control.
Root Cause
netty-codec-4.1.52.Final.jar <=
io/netty/handler/codec/compression/Lz4FrameEncoder.class:[4.1.0.Beta2 ,
4.1.66.Final)
Advisories
Project:
[https://github.com/netty/netty/pull/11429]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
