You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Brandon Williams (Jira)" <ji...@apache.org> on 2022/02/09 13:54:00 UTC

[jira] [Commented] (CASSANDRA-17368) Investigate OWASP failure report

    [ https://issues.apache.org/jira/browse/CASSANDRA-17368?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489559#comment-17489559 ] 

Brandon Williams commented on CASSANDRA-17368:
----------------------------------------------

CVE-2021-43797 is netty http stuff we don't use yet again.

CVE-2021-37136 is malicious input can DOS bzip2 decompression, which does not apply.

CVE-2021-37137 is roughly the same but for Snappy, which can't be exploited without having already lost the game to network or local machine access.




> Investigate OWASP failure report
> --------------------------------
>
>                 Key: CASSANDRA-17368
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17368
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Build
>            Reporter: Brandon Williams
>            Assignee: Brandon Williams
>            Priority: Normal
>
> 4.0: netty-all-4.1.58.Final.jar: CVE-2021-43797, CVE-2021-37136, CVE-2021-37137
> 3.11: netty-all-4.0.44.Final.jar: CVE-2021-43797, CVE-2021-37136, CVE-2021-37137
> 3.0: netty-all-4.0.44.Final.jar: CVE-2021-43797, CVE-2021-37136, CVE-2021-37137



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org