Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency of netty has an vulnerability CVE-2023-44487 'rapid reset' for HTTP/2 #4619

Closed
profTwinglings opened this issue Oct 20, 2023 · 3 comments
Closed

Dependency of netty has an vulnerability CVE-2023-44487 'rapid reset' for HTTP/2 #4619

profTwinglings opened this issue Oct 20, 2023 · 3 comments
Labels
bug This issue is a bug.

Comments

@profTwinglings
Copy link

profTwinglings commented Oct 20, 2023
edited
Loading

Describe the bug

I think that aws-sdk isnt vulnerable, since a simliar library, azure SDK isnt (using netty as client only):
Azure/azure-sdk-for-java#37198

but can you confirm this?

Expected Behavior

no cve

Current Behavior

CVE warning

Reproduction Steps

Run owasp-dependency check

Possible Solution

Upgrade netty to 4.1.100:
https://netty.io/news/2023/10/10/4-1-100-Final.html

Additional Information/Context

No response

AWS Java SDK version used

software.amazon.awssdk/bom/2.21.2

JDK version used

latest 17

Operating System and version

linux from scratch
@profTwinglings profTwinglings added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2023
@profTwinglings
Copy link
Author

I saw that the latest 2.21.4 version uses netty 4.1.100 but I decided to let this issue be open for anyone who searches for the CVE.

@debora-ito
Copy link
Member

We were tracking this in your other Github issue, because of this comment - #4584 (comment).

Java SDK version 2.21.4 includes the upgraded netty version 4.1.100. Will go ahead and close this.

@debora-ito debora-ito removed the needs-triage This issue or PR still needs to be triaged. label Oct 20, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@fgrilli fgrilli mentioned this issue Oct 26, 2023
Closed
@vgw-chriskruger vgw-chriskruger mentioned this issue Jun 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@debora-ito @profTwinglings