[
https://issues.apache.org/jira/browse/NIFI-4432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann resolved NIFI-4432.
------------------------------------
Fix Version/s: 1.15.0
Assignee: David Handermann
Resolution: Fixed
> Upgrade version of netty-all due to DoS possibility
> ---------------------------------------------------
>
> Key: NIFI-4432
> URL: https://issues.apache.org/jira/browse/NIFI-4432
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: 1.4.0
> Reporter: Andy LoPresto
> Assignee: David Handermann
> Priority: Minor
> Labels: dependencies, netty, security
> Fix For: 1.15.0
>
>
> As documented in
> [CVE-2016-4970|https://bugzilla.redhat.com/show_bug.cgi?id=1343616],
> {{netty-all}} < 4.0.37.Final is susceptible to a denial of service attack due
> to TLS renegotiation. While Apache NiFi does not directly reference
> {{OpenSslEngine}} in the code, usages of {{io.netty.netty-all}} should be
> upgraded.
> Current transitive dependencies containing {{netty-all}}:
> {code}
> {code}
> Current (absence of) direct usage of {{OpenSslEngine}}:
> {code}Targets
> Occurrences of 'netty' in Project with mask '*.java'
> Found Occurrences (29 usages found)
> Unclassified occurrence (29 usages found)
> nifi-couchbase-processors (4 usages found)
> org.apache.nifi.processors.couchbase (4 usages found)
> PutCouchbaseKey.java (2 usages found)
> 51 import
> com.couchbase.client.deps.io.netty.buffer.ByteBuf;
> 52 import
> com.couchbase.client.deps.io.netty.buffer.Unpooled;
> TestGetCouchbaseKey.java (2 usages found)
> 54 import
> com.couchbase.client.deps.io.netty.buffer.ByteBuf;
> 55 import
> com.couchbase.client.deps.io.netty.buffer.Unpooled;
> nifi-grpc-processors (25 usages found)
> org.apache.nifi.processors.grpc (25 usages found)
> InvokeGRPC.java (7 usages found)
> initializeClient(ProcessContext) (4 usages found)
> 234 final NettyChannelBuilder nettyChannelBuilder =
> NettyChannelBuilder.forAddress(host, port)
> 269
> nettyChannelBuilder.sslContext(sslContextBuilder.build());
> 272 nettyChannelBuilder.usePlaintext(true);
> 275 final ManagedChannel channel =
> nettyChannelBuilder.build();
> 62 import io.grpc.netty.GrpcSslContexts;
> 63 import io.grpc.netty.NettyChannelBuilder;
> 64 import io.netty.handler.ssl.SslContextBuilder;
> ListenGRPC.java (5 usages found)
> startServer(ProcessContext) (1 usage found)
> 185 NettyServerBuilder serverBuilder =
> NettyServerBuilder.forPort(port)
> 65 import io.grpc.netty.GrpcSslContexts;
> 66 import io.grpc.netty.NettyServerBuilder;
> 67 import io.netty.handler.ssl.ClientAuth;
> 68 import io.netty.handler.ssl.SslContextBuilder;
> TestGRPCClient.java (5 usages found)
> buildChannel(String, int, Map<String, String>) (1 usage
> found)
> 86 NettyChannelBuilder channelBuilder =
> NettyChannelBuilder.forAddress(host, port)
> 38 import io.grpc.netty.GrpcSslContexts;
> 39 import io.grpc.netty.NettyChannelBuilder;
> 40 import io.netty.handler.ssl.ClientAuth;
> 41 import io.netty.handler.ssl.SslContextBuilder;
> TestGRPCServer.java (7 usages found)
> start(int) (3 usages found)
> 90 final NettyServerBuilder nettyServerBuilder =
> NettyServerBuilder
> 131
> nettyServerBuilder.sslContext(sslContextBuilder.build());
> 134 server = nettyServerBuilder.build().start();
> 35 import io.grpc.netty.GrpcSslContexts;
> 36 import io.grpc.netty.NettyServerBuilder;
> 37 import io.netty.handler.ssl.ClientAuth;
> 38 import io.netty.handler.ssl.SslContextBuilder;
> TestInvokeGRPC.java (1 usage found)
> 33 import io.netty.handler.ssl.ClientAuth;
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
