search

apache / servicecomb-pack

Apache ServiceComb Pack is an eventually data consistency solution for micro-service applications. ServiceComb Pack currently provides TCC and Saga distributed transaction co-ordination solutions by using Alpha as a transaction coordinator and Omega as an transaction agent .
https://servicecomb.apache.org/
Apache License 2.0
1.93k stars 436 forks source link

Dependency io.netty:netty-common, leading to CVE problem #723

Closed CVEDetect closed 2 years ago

CVEDetect commented 2 years ago

Hi, In servicecomb-pack/omega/omega-connector/omega-connector-grpc,there is a dependency io.netty:netty-common:4.1.35.Final that calls the risk method.

CVE-2021-21290

The scope of this CVE affected version is [4.0.0.Final, 4.1.59.Final)

After further analysis, in this project, the main Api called is <io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>
at <io.netty.util.internal.NativeLibraryLoader: void loadFirstAvailable(java.lang.ClassLoader,java.lang.String[])> (io.netty.util.internal.NativeLibraryLoader.java:[96]) in /.m2/repository/io/netty/netty-common/4.1.35.Final/netty-common-4.1.35.Final.jar
at <io.netty.handler.ssl.OpenSsl: void loadTcNative()> (io.netty.handler.ssl.OpenSsl.java:[554]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar
at <io.netty.handler.ssl.OpenSsl: void <clinit>()> (io.netty.handler.ssl.OpenSsl.java:[135]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslProvider defaultSslProvider()> (io.grpc.netty.GrpcSslContexts.java:[244, 254]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder configure(io.netty.handler.ssl.SslContextBuilder)> (io.grpc.netty.GrpcSslContexts.java:[171]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder forClient()> (io.grpc.netty.GrpcSslContexts.java:[120]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: com.google.common.base.Optional buildSslContext(org.apache.servicecomb.pack.omega.connector.grpc.AlphaClusterConfig)> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[129]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes
at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContext build()> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[71]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes

Dependency tree--

[INFO] org.apache.servicecomb.pack:omega-connector-grpc:jar:0.6.0
[INFO] +- io.grpc:grpc-protobuf:jar:1.22.0:compile
[INFO] |  +- io.grpc:grpc-api:jar:1.22.0:compile
[INFO] |  |  +- io.grpc:grpc-context:jar:1.22.0:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.1:compile
[INFO] |  |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.7.1:compile
[INFO] |  +- com.google.guava:guava:jar:20.0:compile
[INFO] |  +- com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile
[INFO] |  \- io.grpc:grpc-protobuf-lite:jar:1.22.0:compile
[INFO] +- io.grpc:grpc-netty:jar:1.22.0:compile
[INFO] |  +- io.grpc:grpc-core:jar:1.22.0:compile (version selected from constraint [1.22.0,1.22.0])
[INFO] |  |  +- com.google.code.gson:gson:jar:2.8.4:compile
[INFO] |  |  +- com.google.android:annotations:jar:4.1.1.4:compile
[INFO] |  |  +- io.perfmark:perfmark-api:jar:0.16.0:compile
[INFO] |  |  +- io.opencensus:opencensus-api:jar:0.21.0:compile
[INFO] |  |  \- io.opencensus:opencensus-contrib-grpc-metrics:jar:0.21.0:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.35.Final:compile
[INFO] |  |  +- io.netty:netty-common:jar:4.1.35.Final:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.35.Final:compile
[INFO] |  |  +- io.netty:netty-transport:jar:4.1.35.Final:compile
[INFO] |  |  |  \- io.netty:netty-resolver:jar:4.1.35.Final:compile
[INFO] |  |  +- io.netty:netty-codec:jar:4.1.35.Final:compile
[INFO] |  |  +- io.netty:netty-handler:jar:4.1.35.Final:compile
[INFO] |  |  \- io.netty:netty-codec-http:jar:4.1.35.Final:compile
[INFO] |  \- io.netty:netty-handler-proxy:jar:4.1.35.Final:compile
[INFO] |     \- io.netty:netty-codec-socks:jar:4.1.35.Final:compile
[INFO] +- io.netty:netty-tcnative-boringssl-static:jar:2.0.25.Final:compile
[INFO] +- org.apache.servicecomb.pack:omega-transaction:jar:0.6.0:compile
[INFO] |  +- org.apache.servicecomb.pack:pack-common:jar:0.6.0:compile
[INFO] |  +- org.apache.servicecomb.pack:omega-context:jar:0.6.0:compile
[INFO] |  +- org.aspectj:aspectjweaver:jar:1.8.10:compile
[INFO] |  +- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO] |  \- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] |     \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] +- org.apache.servicecomb.pack:pack-contract-grpc:jar:0.6.0:compile
[INFO] |  \- io.grpc:grpc-stub:jar:1.22.0:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@coolbeevip Could please help me check this issue? May I pull a request to fix it? Thanks again.

WillemJiang commented 2 years ago

We may conside to upgarde the grpc version for fix this issue.