Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Synopsys BlackDuck v2020.4.2 finds Medium vulnerability in io.netty:netty-all:4.1.50.Final

See original GitHub issue

Expected behavior

No security issues.

Actual behavior

BDSA-2018-4022 MEDIUM (score 4.9) https://blackduck.opentext.net/api/vulnerabilities/BDSA-2018-4022

Netty does not verify the hostname when establishing connections with clients which allows a potential attacker to forge a certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a a cryptographically valid certificate which will be accepted by Netty due to missing hostname verification.

How to fix it No Solution No Workaround

Common Weakness Enumeration (CWE) CWE-295 - Improper Certificate Validation The software does not validate, or incorrectly validates, a certificate.

Steps to reproduce

Execute BlackDuck scan on io.netty:netty-all:4.1.50.Final

Minimal yet complete reproducer code (or URL to code)

Netty version

netty-all:4.1.50.Final

JVM version (e.g. `java -version`)

java version “1.7.0_261” OpenJDK Runtime Environment (amzn-2.6.22.1.83.amzn1-x86_64 u261-b02) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

OS version (e.g. `uname -a`)

Linux ip-10-240-83-160 4.14.177-107.254.amzn1.x86_64 #1 SMP Thu May 7 18:30:14 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Issue Analytics

State:
Created 3 years ago
Comments:12 (6 by maintainers)

Top GitHub Comments

2reactions

hyperxprocommented, Mar 25, 2021

@piotrkrokowski

Try this:

            TrustManagerFactory trustManagerFactory;
            if (acceptAllCerts) {
                trustManagerFactory = InsecureTrustManagerFactory.INSTANCE;
            } else {
                try {
                    trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init((KeyStore) null);
                } catch (Exception ex) {
                    throw new IllegalArgumentException("Error occurred while building TrustManagerFactory", ex);
                }
            }

            SslContextBuilder sslContextBuilder = SslContextBuilder.forClient()
                    .sslProvider(OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK)
                    .protocols(Protocol.getProtocols(protocols))
                    .clientAuth(mutualTLS.clientAuth())
                    .trustManager(trustManagerFactory)
                    .startTls(useStartTLS)
                    .applicationProtocolConfig(new ApplicationProtocolConfig(
                            ApplicationProtocolConfig.Protocol.ALPN,
                            ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                            ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                            ApplicationProtocolNames.HTTP_2,
                            ApplicationProtocolNames.HTTP_1_1));

0reactions

hyperxprocommented, Nov 18, 2021

Whitesource mentions that the fix is available in version 4.1.69.Final. Can this be confirmed?

Host validation will not be enabled by default in Netty 4.1.

Top Results From Across the Web

Release Notes - Black Duck - Synopsys

Updated BDBA worker in response to the OpenSSL vulnerabilities. Black Duck version 2022.10.0. Announcements for 2022.10.0. PostgreSQL 11 deprecation.

Reflected cross-site scripting in Black Duck Hub - Synopsys

CVE-2022-30278 is a reflected cross-site scripting (XSS) vulnerability in Black Duck Hub's embedded MadCap Flare documentation files.

Black Duck Software Composition Analysis (SCA) - Synopsys

Black Duck Software Composition Analysis (SCA) provides a solution for managing open source ... Find and fix your highest-priority vulnerabilities quickly.

Black Duck: Vulnerability Impact Analysis

This article will describe how to view reachable vulnerabilities in ... Environment: Black Duck v2020.8.0 or newer, Synopsys Detect CLI v6.5 ...

User Guide - Black Duck - Synopsys

Viewing the security vulnerabilities of your projects, project versions, and component ... Use the search field to find a scan or limit the...