The Apache Pulsar releases that include Netty 4.1.118 with the fix for CVE-2025-24970 are currently in the release voting stage.
This denial-of-service CVE in Netty, CVE-2025-24970, isn't critical for Pulsar cluster users as long as Pulsar's security guidelines of network perimeter security have been followed. For Pulsar Java clients, there is no denial-of-service impact from this CVE. However, many organizations have security policies requiring that any critically vulnerable dependencies must be patched within a certain timeframe, such as 30 days from discovery, regardless of the impact. These are the release voting threads on the dev mailing list: * [VOTE] Release Apache Pulsar 3.0.10 based on 3.0.10-candidate-1 https://lists.apache.org/thread/62jh7sj666mq2plr1rmlj7qrfx4zdj4x * [VOTE] Release Apache Pulsar 3.3.5 based on 3.3.5-candidate-1 https://lists.apache.org/thread/cwfr4jmg89ncmzpl1ycbqrswppq3cnk3 *[VOTE] Release Apache Pulsar 4.0.3 based on 4.0.3-candidate-1 https://lists.apache.org/thread/g9wmgf0b4qkcqf480c1dmc140ypmsffs I'll proceed with the releases as soon as the mandatory 3 binding votes are reached (I can do 1 binding vote, so 2 more are needed). I hope that other Apache Pulsar PMC members could vote asap since that is currently delaying these releases. I could do one vote as long as there are 2 other binding votes on these releases. Please vote asap so that we get the CVE fix published and our users can meet their security patching SLAs. -Lari On Wed, 12 Feb 2025 at 10:52, Lari Hotari <lhot...@apache.org> wrote: > > Hi all, > > I'd like to discuss initiating the next set of Pulsar releases > (3.0.10, 3.3.5, and 4.0.3) due to a recently disclosed high-severity > security vulnerability in Netty (CVE-2025-24970). Netty has released > version 4.1.118.Final which contains the fix. > > The CVE-2025-24970 vulnerability details [1] summarized: > - A specially crafted packet received via SslHandler can lead to a > native crash when using native SSLEngine > - Due to the crash behavior, this is categorized as a > denial-of-service vulnerability > - This impacts Pulsar brokers and proxies that use native SSL > implementation (default setting) > - CVSS Score: 7.5 (High) > - Fixed in Netty 4.1.118.Final > > While this primarily affects broker and proxy components, many > enterprise users will need an updated client due to vulnerability > scanning and security policies that flag the vulnerable Netty > dependency. > > Important reminder: As documented in the Apache Pulsar Helm chart > (https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#pulsar-proxy-security-considerations), > Pulsar components including the Pulsar Proxy are not designed for > direct exposure to the public internet. Deployments should be > protected by appropriate network perimeter security measures. This > architectural assumption is particularly relevant given the nature of > this vulnerability. > > I propose the following timeline: > - Release candidates by February 14th, 2025 > - Releases by February 21th, 2025 > > I'm volunteering to be the release manager for these releases. > Please let me know if you have any concerns or feedback on this plan. > > Best regards, > > Lari Hotari > > 1 - For technical details on CVE-2025-24970, see: > https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
