You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2021/04/22 11:29:03 UTC
[jira] [Commented] (JAMES-3567) Apache James 3.6 has Critical
Vulnerability in dependent libs
[ https://issues.apache.org/jira/browse/JAMES-3567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17328025#comment-17328025 ]
Benoit Tellier commented on JAMES-3567:
---------------------------------------
Hello, thanks for the report.
Netty upgrade for SmTP/IMAP stacks is a long lasting topics on which contributions would be welcomed.
netty-3.10.6.Final.jar is only used for IMAP and SMTP and thus is not impacted by CVE on HTTP
netty 4.1.53 is used by our S3 driver, we should likely consider an upgrade.
jgroups is bringed in by Apache ActiveMQ Artemis. Please do open a ticket to warn them as well.
A mitigation for James regarding JGroup would be:
- to see if an artemis upgrade solves the issue.
- and remove the depedency to ActiveMQ by better organising the guice modules and their dependencies.
Finally there is a standard process to discuss possible security problems @apache (cf https://www.apache.org/security/)
> Apache James 3.6 has Critical Vulnerability in dependent libs
> -------------------------------------------------------------
>
> Key: JAMES-3567
> URL: https://issues.apache.org/jira/browse/JAMES-3567
> Project: James Server
> Issue Type: Improvement
> Components: James Core
> Affects Versions: 3.6.0
> Environment: Docker Image: - apache/james:distributed-3.6.0
> Reporter: Rikin Patel
> Priority: Major
> Labels: vulnerability
>
> /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar: -
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header
> -> HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image File(s): /root/james-server-cassandra-guice.lib/netty-3.10.6.Final.jar
> /root/james-server-cassandra-guice.lib/jgroups-3.6.13.Final.jar
> -> JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors..
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org