Michael Han created ZOOKEEPER-2423:
--------------------------------------
Summary: Upgrade Netty version due to security vulnerability
(CVE-2014-3488)
Key: ZOOKEEPER-2423
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2423
Project: ZooKeeper
Issue Type: Bug
Components: security, server
Affects Versions: 3.5.1, 3.4.8, 3.6.0
Reporter: Michael Han
Assignee: Michael Han
Priority: Critical
Fix For: 3.4.9, 3.5.2, 3.6.0
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial
of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message
[1]. We are using netty 3.7.x in ZK for 3.4/3.5/3.6, which is affected by this
vulnerability.
We should upgrade Netty version to a later version that fixed this issue. I am
leaning towards to upgrade Netty version to 3.10.5 [2], which is the latest
release of the major version (3) that ZK 3.4/5/6 is using. Thoughts on which
Netty version we should upgrade to?
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-3488
[2] http://netty.io/news/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
