You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/10/06 06:06:40 UTC
[GitHub] [servicecomb-pack] CVEDetect opened a new issue #723: Dependency io.netty:netty-common, leading to CVE problem
CVEDetect opened a new issue #723:
URL: https://github.com/apache/servicecomb-pack/issues/723
Hi, In **servicecomb-pack/omega/omega-connector/omega-connector-grpc**,there is a dependency **io.netty:netty-common:4.1.35.Final** that calls the risk method.
[CVE-2021-21290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21290)
The scope of this CVE affected version is **[,4.1.61.Final)**
After further analysis, in this project, the main Api called is **<io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>**
Risk method repair link : [GitHub](https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec)
**CVE Bug Invocation Path--**
**Path Length : 9**
```
<io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>
at <io.netty.util.internal.NativeLibraryLoader: void loadFirstAvailable(java.lang.ClassLoader,java.lang.String[])> (io.netty.util.internal.NativeLibraryLoader.java:[96]) in /.m2/repository/io/netty/netty-common/4.1.35.Final/netty-common-4.1.35.Final.jar
at <io.netty.handler.ssl.OpenSsl: void loadTcNative()> (io.netty.handler.ssl.OpenSsl.java:[554]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar
at <io.netty.handler.ssl.OpenSsl: void <clinit>()> (io.netty.handler.ssl.OpenSsl.java:[135]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslProvider defaultSslProvider()> (io.grpc.netty.GrpcSslContexts.java:[244, 254]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder configure(io.netty.handler.ssl.SslContextBuilder)> (io.grpc.netty.GrpcSslContexts.java:[171]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder forClient()> (io.grpc.netty.GrpcSslContexts.java:[120]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: com.google.common.base.Optional buildSslContext(org.apache.servicecomb.pack.omega.connector.grpc.AlphaClusterConfig)> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[129]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes
at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContext build()> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[71]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes
```
**Dependency tree--**
```
[INFO] org.apache.servicecomb.pack:omega-connector-grpc:jar:0.6.0
[INFO] +- io.grpc:grpc-protobuf:jar:1.22.0:compile
[INFO] | +- io.grpc:grpc-api:jar:1.22.0:compile
[INFO] | | +- io.grpc:grpc-context:jar:1.22.0:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.1:compile
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:3.7.1:compile
[INFO] | +- com.google.guava:guava:jar:20.0:compile
[INFO] | +- com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile
[INFO] | \- io.grpc:grpc-protobuf-lite:jar:1.22.0:compile
[INFO] +- io.grpc:grpc-netty:jar:1.22.0:compile
[INFO] | +- io.grpc:grpc-core:jar:1.22.0:compile (version selected from constraint [1.22.0,1.22.0])
[INFO] | | +- com.google.code.gson:gson:jar:2.8.4:compile
[INFO] | | +- com.google.android:annotations:jar:4.1.1.4:compile
[INFO] | | +- io.perfmark:perfmark-api:jar:0.16.0:compile
[INFO] | | +- io.opencensus:opencensus-api:jar:0.21.0:compile
[INFO] | | \- io.opencensus:opencensus-contrib-grpc-metrics:jar:0.21.0:compile
[INFO] | +- io.netty:netty-codec-http2:jar:4.1.35.Final:compile
[INFO] | | +- io.netty:netty-common:jar:4.1.35.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.35.Final:compile
[INFO] | | +- io.netty:netty-transport:jar:4.1.35.Final:compile
[INFO] | | | \- io.netty:netty-resolver:jar:4.1.35.Final:compile
[INFO] | | +- io.netty:netty-codec:jar:4.1.35.Final:compile
[INFO] | | +- io.netty:netty-handler:jar:4.1.35.Final:compile
[INFO] | | \- io.netty:netty-codec-http:jar:4.1.35.Final:compile
[INFO] | \- io.netty:netty-handler-proxy:jar:4.1.35.Final:compile
[INFO] | \- io.netty:netty-codec-socks:jar:4.1.35.Final:compile
[INFO] +- io.netty:netty-tcnative-boringssl-static:jar:2.0.25.Final:compile
[INFO] +- org.apache.servicecomb.pack:omega-transaction:jar:0.6.0:compile
[INFO] | +- org.apache.servicecomb.pack:pack-common:jar:0.6.0:compile
[INFO] | +- org.apache.servicecomb.pack:omega-context:jar:0.6.0:compile
[INFO] | +- org.aspectj:aspectjweaver:jar:1.8.10:compile
[INFO] | +- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO] | \- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] | \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] +- org.apache.servicecomb.pack:pack-contract-grpc:jar:0.6.0:compile
[INFO] | \- io.grpc:grpc-stub:jar:1.22.0:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile
```
**_Suggested solutions:_**
Update dependency version
Thank you very much.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-pack] WillemJiang commented on issue #723: Dependency io.netty:netty-common, leading to CVE problem
Posted by GitBox <gi...@apache.org>.
WillemJiang commented on issue #723:
URL: https://github.com/apache/servicecomb-pack/issues/723#issuecomment-961078501
We may conside to upgarde the grpc version for fix this issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-pack] CVEDetect closed issue #723: Dependency io.netty:netty-common, leading to CVE problem
Posted by GitBox <gi...@apache.org>.
CVEDetect closed issue #723:
URL: https://github.com/apache/servicecomb-pack/issues/723
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [servicecomb-pack] CVEDetect commented on issue #723: Dependency io.netty:netty-common, leading to CVE problem
Posted by GitBox <gi...@apache.org>.
CVEDetect commented on issue #723:
URL: https://github.com/apache/servicecomb-pack/issues/723#issuecomment-935539716
@coolbeevip
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org