[Improvement][Dependency][Security] Upgrade Netty to fix HTTP/2 DoS (CVE-2023-44487) #17952
Description
Search before asking
- I had searched in the issues and found no similar feature requirement.
Description
Part of #15940
Current DolphinScheduler uses: <netty.version>4.1.53.Final</netty.version>
Netty 4.1.53.Final is affected by an HTTP/2 protocol denial-of-service vulnerability (CVE-2023-44487). To mitigate this security risk, upgrade Netty to a fixed, supported release (proposed: 4.1.100.Final).
Vulnerability
Vulnerability name: HTTP/2 protocol denial-of-service
CVE: CVE-2023-44487
Category: Denial of Service (protocol-level, HTTP/2)
Impact: A malicious or malformed HTTP/2 stream can cause excessive resource consumption or connection disruption in Netty-based HTTP/2 servers/clients.
Recommended fix
Upgrade Netty to at least a version where CVE-2023-44487 is fixed. Proposed: 4.1.100.Final.
Update the ${netty.version} property and any direct Netty dependency versions.
Run full test suite and do smoke tests for HTTP/2-related components to ensure no regressions.
Review any code that depends on Netty internals or on behavior that may have changed between 4.1.53 and 4.1.100; adjust if needed.
If the project uses shaded or bundled Netty artifacts, ensure the shading/bundling is updated too.
References
NVD: CVE-2023-44487
Netty releases: https://github.com/netty/netty/tags
Are you willing to submit a PR?
- Yes I am willing to submit a PR!
Code of Conduct
- I agree to follow this project's Code of Conduct