When to upgrade Netty to 4.1.72 ？

[Given0306]

New CVE vulnerability ： https://nvd.nist.gov/vuln/detail/CVE-2021-43797#range-7253854

[sanjaypujare]

PR #8780 is being worked on for this.

[ejona86]

Note that grpc-netty-shaded is not impacted by the CVE. The CVE is a concern if Netty is being used elsewhere in your application.

[ejona86]

We upgraded in #8780. Assuming no further issues, it'd be in 1.44.0.

[ejona86]

In the end, there were no changes to gRPC (just tests). So you can upgrade Netty yourself without issue if using grpc-netty instead of grpc-netty-shaded (although we prefer users to use grpc-netty-shaded).

[patgalaz]

Hi @ejona86. As Valdemiro commented in #8781 (comment) some days ago, PaloAltoNetworks' Prisma Cloud Scan shows some vulnerabilities in netty-codec, but finds them inside the grpc-netty-shaded jar. In my work we have several microservices that have grpc-netty-shaded as a transitive dependency. PaloAltoNetworks' Prisma Cloud Scan is reporting these microservices with several vulnerabilities (some of high type) due to grpc-netty-shaded.

I would appreciate it if you would prioritize the release of the version that fixes these vulnerabilities.

[ejona86]

grpc-netty-shaded is not impacted by the recent HTTP request smuggling and other related HTTP/1 and compression vulnerabilities. So the tool is reporting false positives.

In #8165 (released in v1.39.0) I made a change that might reduce the number of false positives.

[sergiitk]

Hey @patgalaz. Getting fixed version out is the first priority for us. v1.44.x with the Netty upgrade (#8780) has been cut this week, and going through an extensive testing. This upgrade turned out to be difficult due to many implicit breaking changes. While we want to release ASAP, we cannot jeopardize the stability of the product. No one wants their project breaking because we didn't do enough testing.

Planned release date for v1.44.0 is Jan 25, and if all tests pass, it will contain Netty 4.1.72.Final. Until then, if this blocks you, it's possible to use non-shaded Netty directly, as @ejona86 pointed out in #8803 (comment).

EDIT: Netty 4.1.72.Final

[ejona86]

I would recommend continuing to use grpc-netty-shaded instead of grpc-netty with an upgraded Netty. grpc-netty-shaded has precise usage of netty, and with a direct dependency on Netty it is easier to be exposed to all Netty vulnerabilities (since then it is unclear if your app or a library is using netty directly). Yes, you can use grpc-netty if you really have to, but it is easy to forget to swap back to grpc-netty-shaded and then you have less obvious security posture for the future. Said another way, swapping to grpc-netty for the security reasons listed hurts actual security in the name of compliance.