Hi, our trivy docker image scans on solr:9.2.1 and solr:8.11.2 reveal CVE-2023-34462 for netty-handler-4.1.89.Final.jar (or netty-handler-4.1.68.Final.jar for solr:8.11.2).
https://access.redhat.com/security/cve/CVE-2023-34462 "A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service." I checked the solr 9 workspace and executed its own dependency checks with "gradlew owasp". The issue is reported here as well. In the code I cannot find any netty usage at all, so I'm not sure about this dependency. https://solr.apache.org/security.html does not mention CVE-2023-34462. Can someone estimate the impact of this CVE on solr 9.2.1 and 8.11.2? I noticed that netty-handler has been updated on the main branch meanwhile, but there is no release with the fix yet. And anyway, in our production setups updates are not that simple, so 9.2.1 and 8.11.2 will remain for a another while, and the impact is still interesting for us. Thanks, Rolf
