Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Commit

Permalink
Override the netty dependency to fix CVE-2023-44487 (#532)
Browse files Browse the repository at this point in the history
  • Loading branch information
jframe authored Oct 19, 2023
1 parent 8f02e28 commit cea5614
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 13 deletions.
11 changes: 0 additions & 11 deletions gradle/owasp-suppression.xml
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,6 @@
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
<vulnerabilityName>CVE-2023-36415</vulnerabilityName>
</suppress>
<suppress until="2023-12-12">
<notes><![CDATA[
Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
file name: netty-handler-4.1.97.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
<vulnerabilityName>CVE-2023-4586</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972
Expand Down
4 changes: 2 additions & 2 deletions gradle/versions.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -127,8 +127,8 @@ dependencyManagement {
entry 'kotlin-stdlib-jdk7'
entry 'kotlin-stdlib-jdk8'
}
// addressing CVE-2022-41881 and CVE-2022-41915
dependencySet(group: 'io.netty', version: '4.1.97.Final') {
// addressing CVE-2023-44487
dependencySet(group: 'io.netty', version: '4.1.100.Final') {
entry 'netty-all'
entry 'netty-codec-http2'
entry 'netty-handler-proxy'
Expand Down

0 comments on commit cea5614

Please sign in to comment.