Details
Assignee
UnassignedUnassignedReporter
Veena KannanVeena KannanHB Grooming Date
Sep 27, 2024HB Backlog Status
Refined BacklogFix versions
Priority
High
Details
Details
Assignee
Unassigned
UnassignedReporter
Veena Kannan
Veena KannanHB Grooming Date
Sep 27, 2024
HB Backlog Status
Refined Backlog
Fix versions
Priority
High
PagerDuty
PagerDuty
PagerDuty
Created September 27, 2024 at 8:22 PM
Updated October 17, 2024 at 1:44 PM
Even after we updated netty to version 4.1.100.Final in this Jira (https://opennms.atlassian.net/browse/NMS-16184?searchObjectId=45263&searchContainerId=10112&searchContentType=issue&searchSessionId=36b3326a-d6dd-41ae-95b3-200e397f336f ) we are seeing older version (4.1.22) showing up in the trivy scans. These are also seen in Poweredby customer scans.
The older version might be part of OSGI or somewhere else. Need to find this and update this. Update netty to the latest version with all the fixes version 4.1.108 everywhere.
Fix needed for both 2023 & 2024 as applicable.
Below is the Trivy scan showing the older version:
io.netty:netty-codec (netty-codec-4.1.22.Final.jar) │ CVE-2021-37136 │ HIGH │ │ 4.1.22.Final │ 4.1.68.Final │ netty-codec: Bzip2Decoder doesn't allow setting size │ │ │ │ │ │ │ │ restrictions for decompressed data │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-37136 │ │ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-37137 │ │ │ │ │ netty-codec: SnappyFrameDecoder doesn't restrict chunk │ │ │ │ │ │ │ │ length and may buffer skippable chunks in... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-37137 │ ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────┼──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ io.netty:netty-codec-http │ CVE-2024-29025 │ MEDIUM │ │ 4.1.100.Final │ 4.1.108.Final │ netty-codec-http: Allocation of Resources Without Limits or │ │ (netty-codec-http-4.1.100.Final.jar) │ │ │ │ │ │ Throttling │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-29025 │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ │ │ │ io.netty:netty-codec-http (opennms_jmx_config_generator.jar) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────┼──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ io.netty:netty-codec-http │ CVE-2019-20444 │ CRITICAL │ │ 4.1.22.Final │ 4.1.44 │ netty: HTTP request smuggling │ │ (netty-codec-http-4.1.22.Final.jar) │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-20444 │ │ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-21290 │ MEDIUM │ │ │ 4.1.59.Final │ netty: Information disclosure via the local system temporary │ │ │ │ │ │ │ │ directory │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21290 │ │ ├─────────────────────┤ │ │ ├──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-43797 │ │ │ │ 4.1.71.Final │ netty: control chars in header names may lead to HTTP │ │ │ │ │ │ │ │ request smuggling... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43797 │ │ ├─────────────────────┤ │ │ ├──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-24823 │ │ │ │ 4.1.77.Final │ netty: world readable temporary file containing sensitive │ │ │ │ │ │ │ │ data │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-24823 │ │ ├─────────────────────┤ │ │ ├──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-29025 │ │ │ │ 4.1.108.Final │ netty-codec-http: Allocation of Resources Without Limits or │ │ │ │ │ │ │ │ Throttling │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-29025 │