Need compatible versions for Netty 4.1.68+ , GRPC server and netty-tcnative-boringssl-static

[gautamnaha]

We need to upgrade Netty version to 4.1.68+. Please let us know the compatible versions for gRPC server and netty-tcnative-boringssl-static. The versions table in https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty does not include this netty version.

[dapengzhang0]

The work is in progress, see #8593 for compatible versions for detail. However, that work is stuck because the test is failing (#8605) and we need to find out the root cause.

[gautamnaha]

thanks for the update.. is there an ETA on this please ? we need to upgrade by november end due to security requirements.

Also Grpc version is shown as 1.42.x , whereas the latest published version in maven central for grpc-core is at 1.41.0 . Is this correct info ?

[dapengzhang0]

Also Grpc version is shown as 1.42.x , whereas the latest published version in maven central for grpc-core is at 1.41.0 . Is this correct info ?

That PR was created before 1.42.x branch was cut, assuming it would get merged before the cut. Now it should be updated, say 1.43.x if gets merged before next branch cut.

[ejona86]

You are free to upgrade to newer versions of Netty, but understand that we have not tested them exhaustively. But since you seem to be using Netty yourselves, you should be able to notice any fall-out and report issues.

If you don't directly use Netty yourself, we'd encourage you to use grpc-netty-shaded, at which point you could upgrade Netty to your liking.

[dapengzhang0]

Another reason we need to officially provide a grpc-compatible upgraded netty dependency:
Netty v4.1.67- affected by CVE-2021-37137 (GHSA-grg4-wf29-r9vv)

[ejona86]

@dapengzhang0, it seems like someone manually upgrading Netty "works," but we don't trust it yet because we've not yet investigated the behavior change. Upgrading Netty is possible, but comes with the "you're on your own" mentality that always comes with using a different version of netty.

[ejona86]

gRPC does seem to have an issue with newer versions of Netty. We're impacted by netty/netty-tcnative#680. We expect the bug started being triggered in 4.1.65 which enabled tasks, although we haven't confirmed that to be true.

[normanmaurer]

@ejona86 FYI you can workaround this by disable tasks via:

builder.option(OpenSslContextOption.USE_TASKS, false);

Also note there is a PR that will fix this as part of the next netty release:

netty/netty#11854

[normanmaurer]

Also the change that triggered this was introduced in 4.1.64.Final:

netty/netty#11242

[ejona86]

@sanjaypujare, it'd be fair to use the workaround for the upgrade.

[sanjaypujare]

...
Also note there is a PR that will fix this as part of the next netty release:

netty/netty#11854

@normanmaurer what's the ETA for the next netty release?

[normanmaurer]

@sanjaypujare next week

[sanjaypujare]

@sanjaypujare next week

Thanks!

@ejona86 Considering it's so imminent I will wait to use this new release for grpc-java's netty upgrade. If that fails because of some new issues in the release then I'll use 4.1.70.Final with the workaround.

[jukelly]

Has there been any update here? I see Netty has released their new version.

[ejona86]

@jukelly, the new version fixes all known issues, but we've not yet done extensive testing. I wouldn't expect updates until early January when devs get back from the holidays.