Upgrade vendored beam-vendor-grpc-1_54_0 to eliminate vulnerability from shaded Netty

[del1g0r]

What happened?

The beam-vendor-grpc-1_54_0 shades a vulnerable Netty version 4.1.87.Final It brings CVE-2023-44487 Base Score: 7.5 High JFrog Xray recommends updating it at least to version 4.1.100.Final Could you please fix this vulnerability in the shaded jar and also let us know when you are planning to release this?

https://github.com/apache/beam/blob/master/buildSrc/src/main/groovy/org/apache/beam/gradle/GrpcVendoring_1_54_0.groovy#L46

Issue Priority

Priority: 2 (default / most bugs should be filed as P2)

Issue Components

• [ ] Component: Python SDK
• [X] Component: Java SDK
• [ ] Component: Go SDK
• [ ] Component: Typescript SDK
• [ ] Component: IO connector
• [ ] Component: Beam YAML
• [ ] Component: Beam examples
• [ ] Component: Beam playground
• [ ] Component: Beam katas
• [ ] Component: Website
• [ ] Component: Spark Runner
• [ ] Component: Flink Runner
• [ ] Component: Samza Runner
• [ ] Component: Twister2 Runner
• [ ] Component: Hazelcast Jet Runner
• [ ] Component: Google Cloud Dataflow Runner

[Abacn]

This needs to vendor grpc >= 1.60

[ihor-avramenko-db]

This needs to vendor grpc >= 1.60

Thank you for your reply! Is there any plan to release the 1.60 version?

[an2x]

There is another reason to upgrade, which is a potential memory leak fixed in grpc v1.59: https://github.com/grpc/grpc-java/pull/10540. This has been reported as an issue when accessing Bigtable from Beam.

[Abacn]

Also, grpc-alts has been added to the build: #29763 and needs a new vendor release.

The issue with not adding grpc-alts in vendor is that it depends on the same things that grpc does,
and we run into conflicts in the types.

for example, the grpc stubs take a channel. grpc-alts allows us to create an alts secured channel
which we need for direct path