Synopsys BlackDuck v2020.4.2 finds Medium vulnerability in io.netty:netty-all:4.1.50.Final
See original GitHub issueExpected behavior
No security issues.
Actual behavior
BDSA-2018-4022 MEDIUM (score 4.9) https://blackduck.opentext.net/api/vulnerabilities/BDSA-2018-4022
Netty does not verify the hostname when establishing connections with clients which allows a potential attacker to forge a certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a a cryptographically valid certificate which will be accepted by Netty due to missing hostname verification.
How to fix it No Solution No Workaround
Common Weakness Enumeration (CWE) CWE-295 - Improper Certificate Validation The software does not validate, or incorrectly validates, a certificate.
Steps to reproduce
Execute BlackDuck scan on io.netty:netty-all:4.1.50.Final
Minimal yet complete reproducer code (or URL to code)
Netty version
netty-all:4.1.50.Final
JVM version (e.g. java -version
)
java version “1.7.0_261” OpenJDK Runtime Environment (amzn-2.6.22.1.83.amzn1-x86_64 u261-b02) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
OS version (e.g. uname -a
)
Linux ip-10-240-83-160 4.14.177-107.254.amzn1.x86_64 #1 SMP Thu May 7 18:30:14 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Issue Analytics
- State:
- Created 3 years ago
- Comments:12 (6 by maintainers)
Top GitHub Comments
@piotrkrokowski
Try this:
Host validation will not be enabled by default in Netty 4.1.