Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability CVE-2023-4586 was found in sts-2.21.5.jar #4630

Closed
wang-wayne opened this issue Oct 24, 2023 · 3 comments
Closed

Vulnerability CVE-2023-4586 was found in sts-2.21.5.jar #4630

wang-wayne opened this issue Oct 24, 2023 · 3 comments
Labels
bug This issue is a bug. duplicate This issue is a duplicate.

Comments

@wang-wayne
Copy link

wang-wayne commented Oct 24, 2023
edited
Loading

Describe the bug

CVE-2023-4586 was found in netty-handler-4.1.100.Final.jar which is used in sts-2.21.5.jar

Suggested Fix
Upgrade to version: io.netty:netty-handler - 5.0.0.Alpha1

Expected Behavior

Remediate the vulnerability.

Current Behavior

CVE-2023-4586

Reproduction Steps

Dependency Hierarchy:

  • sts-2.21.5.jar (Root Library)
    • netty-nio-client-2.21.5.jar
      • ❌ netty-handler-4.1.100.Final.jar (Vulnerable Library)

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.21.5

JDK version used

12.0.1

Operating System and version

Mac
@wang-wayne wang-wayne added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 24, 2023
@Morl99
Copy link

Morl99 commented Oct 24, 2023

Chiming in with a little more context: Upstream Issue in Netty
It is explained there on how to configure Netty, in order to mitigate this.

Updating to the alpha1 as recommended by Mend is a joke, I hope ;)

@debora-ito debora-ito added duplicate This issue is a duplicate. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 24, 2023
@debora-ito
Copy link
Member

Duplicate, see #4584 (comment). We are not impacted.

Searching for "CVE-2023-4586" in this repo you'll find that this was reported already.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. duplicate This issue is a duplicate.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Morl99 @debora-ito @wang-wayne