New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When to upgrade Netty to 4.1.72 ? #8803
Comments
PR #8780 is being worked on for this. |
Note that grpc-netty-shaded is not impacted by the CVE. The CVE is a concern if Netty is being used elsewhere in your application. |
We upgraded in #8780. Assuming no further issues, it'd be in 1.44.0. |
In the end, there were no changes to gRPC (just tests). So you can upgrade Netty yourself without issue if using grpc-netty instead of grpc-netty-shaded (although we prefer users to use grpc-netty-shaded). |
Hi @ejona86. As Valdemiro commented in #8781 (comment) some days ago, PaloAltoNetworks' Prisma Cloud Scan shows some vulnerabilities in netty-codec, but finds them inside the grpc-netty-shaded jar. In my work we have several microservices that have grpc-netty-shaded as a transitive dependency. PaloAltoNetworks' Prisma Cloud Scan is reporting these microservices with several vulnerabilities (some of high type) due to grpc-netty-shaded. I would appreciate it if you would prioritize the release of the version that fixes these vulnerabilities. |
grpc-netty-shaded is not impacted by the recent HTTP request smuggling and other related HTTP/1 and compression vulnerabilities. So the tool is reporting false positives. In #8165 (released in v1.39.0) I made a change that might reduce the number of false positives. |
Hey @patgalaz. Getting fixed version out is the first priority for us. Planned release date for EDIT: Netty 4.1.72.Final |
I would recommend continuing to use grpc-netty-shaded instead of grpc-netty with an upgraded Netty. grpc-netty-shaded has precise usage of netty, and with a direct dependency on Netty it is easier to be exposed to all Netty vulnerabilities (since then it is unclear if your app or a library is using netty directly). Yes, you can use grpc-netty if you really have to, but it is easy to forget to swap back to grpc-netty-shaded and then you have less obvious security posture for the future. Said another way, swapping to grpc-netty for the security reasons listed hurts actual security in the name of compliance. |
New CVE vulnerability : https://nvd.nist.gov/vuln/detail/CVE-2021-43797#range-7253854
The text was updated successfully, but these errors were encountered: