Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bump Netty version to mitigate CVE-2020-11612

See original GitHub issue

As per https://nvd.nist.gov/vuln/detail/CVE-2020-11612, there is a known vulnerability with the current Netty version used by ktor - 4.1.44.Final

I’ll raise a PR to bump to 4.1.48.Final

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:2
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

4reactions
xcq1commented, May 13, 2020

Is this CVE not relevant when using ktor or am I missing something? It strikes me as a bit odd to leave a fix for a ‘score critical’ CVE laying around for a month if it can easily be solved by bumping a version?

2reactions
alyssa-gleancommented, Jun 12, 2020

There is a workaround whilst my PR remains outstanding - you can force the resolution yourself in your build.gradle:

configurations.all {
    resolutionStrategy {
        // To be deleted when issue https://github.com/ktorio/ktor/pull/1779 is released and we bump ktor
        force("io.netty:netty-codec-http2:4.1.48.Final")
        force("io.netty:netty-transport-native-kqueue:4.1.48.Final")
        force("io.netty:netty-transport-native-epoll:4.1.48.Final")
        force("io.netty:netty-codec-http:4.1.48.Final")
        force("io.netty:netty-handler:4.1.48.Final")
        force("io.netty:netty-codec:4.1.48.Final")
        force("io.netty:netty-transport:4.1.48.Final")
        force("io.netty:netty-transport:4.1.48.Final")
        force("io.netty:netty-buffer:4.1.48.Final")
        force("io.netty:netty-resolver:4.1.48.Final")
        force("io.netty:netty-common:4.1.48.Final")
    }
}

Not ideal to have to maintain that, of course, but it will at least patch the CVE in your application and make the OWASP check go green if you’ve automated it someplace 😄

Read more comments on GitHub >

github_iconTop Results From Across the Web

CVE-2020-11612
Description. The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream.
Read more >
upgrade netty to address CVE-2020-11612
The owasp checker is failing with the following. I looked and seems like a DOS attack vector "The ZlibDecoders in Netty 4.1.x before...
Read more >
HTTP Request Smuggling Vulnerability in the The Netty ...
This issue has not yet been fixed in a released version of the library. Moreover, there are no known mitigation steps.
Read more >
Dependency-Check Report
dependency-check version: 6.1.1; Report Generated On: Fri, ... [Closed] (GROOVY-9552) Bump Ant versions to address: [CVE-2020-1945] Apache Ant insecure ...
Read more >
CVE Reference Map for Source MLIST
MLIST:Security release of kubectl versions v1.16.0 / 1.15.4 / 1.14.7 and 1.13.11 ... 20091107 CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Ktor client throws JobCancellationException: Parent job is Completed when using compression and logging features

Next page

MalformedInputException: Input length = 1, when uploading an image multipart