My understanding is that Netty is only included for communication with ZooKeeper and the SniHandler itself should only be used on a Netty server (i.e. the ZooKeeper server) for an SSL connection. So I don't believe it affects Solr beyond the netty-handler-*jar being present.
In ZooKeeper itself, Netty was updated to 4.1.94.Final in the 3.8.2 release https://github.com/apache/zookeeper/pull/2019 On Thu, 31 Aug 2023 at 14:56, Watermann, Rolf <rolf.waterm...@coremedia.com.invalid> wrote: > Hi, > > our trivy docker image scans on solr:9.2.1 and solr:8.11.2 reveal > CVE-2023-34462 for netty-handler-4.1.89.Final.jar (or > netty-handler-4.1.68.Final.jar for solr:8.11.2). > > https://access.redhat.com/security/cve/CVE-2023-34462 > > "A flaw was found in Netty's SniHandler while navigating TLS handshake > which may permit a large heap allocation if the handler did not have a > timeout configured. This issue may allow an attacker to send a client hello > packet which would cause the server to buffer large amounts of data per > connection, potentially causing an out of memory error, resulting in Denial > of Service." > > I checked the solr 9 workspace and executed its own dependency checks with > "gradlew owasp". The issue is reported here as well. In the code I cannot > find any netty usage at all, so I'm not sure about this dependency. > > https://solr.apache.org/security.html does not mention CVE-2023-34462. > Can someone estimate the impact of this CVE on solr 9.2.1 and 8.11.2? I > noticed that netty-handler has been updated on the main branch meanwhile, > but there is no release with the fix yet. And anyway, in our production > setups updates are not that simple, so 9.2.1 and 8.11.2 will remain for a > another while, and the impact is still interesting for us. > > Thanks, > Rolf
