Apache ServiceComb Pack is an eventually data consistency solution for micro-service applications. ServiceComb Pack currently provides TCC and Saga distributed transaction co-ordination solutions by using Alpha as a transaction coordinator and Omega as an transaction agent .
Hi, In servicecomb-pack/omega/omega-connector/omega-connector-grpc,there is a dependency io.netty:netty-common:4.1.35.Final that calls the risk method.
The scope of this CVE affected version is [4.0.0.Final, 4.1.59.Final)
After further analysis, in this project, the main Api called is <io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>
<io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>
at <io.netty.util.internal.NativeLibraryLoader: void loadFirstAvailable(java.lang.ClassLoader,java.lang.String[])> (io.netty.util.internal.NativeLibraryLoader.java:[96]) in /.m2/repository/io/netty/netty-common/4.1.35.Final/netty-common-4.1.35.Final.jar
at <io.netty.handler.ssl.OpenSsl: void loadTcNative()> (io.netty.handler.ssl.OpenSsl.java:[554]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar
at <io.netty.handler.ssl.OpenSsl: void <clinit>()> (io.netty.handler.ssl.OpenSsl.java:[135]) in /.m2/repository/io/netty/netty-handler/4.1.35.Final/netty-handler-4.1.35.Final.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslProvider defaultSslProvider()> (io.grpc.netty.GrpcSslContexts.java:[244, 254]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder configure(io.netty.handler.ssl.SslContextBuilder)> (io.grpc.netty.GrpcSslContexts.java:[171]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <io.grpc.netty.GrpcSslContexts: io.netty.handler.ssl.SslContextBuilder forClient()> (io.grpc.netty.GrpcSslContexts.java:[120]) in /.m2/repository/io/grpc/grpc-netty/1.22.0/grpc-netty-1.22.0.jar
at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: com.google.common.base.Optional buildSslContext(org.apache.servicecomb.pack.omega.connector.grpc.AlphaClusterConfig)> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[129]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes
at <org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder: org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContext build()> (org.apache.servicecomb.pack.omega.connector.grpc.core.LoadBalanceContextBuilder.java:[71]) in /detect/unzip/servicecomb-pack-0.6.0/omega/omega-connector/omega-connector-grpc/target/classes
Hi, In servicecomb-pack/omega/omega-connector/omega-connector-grpc,there is a dependency io.netty:netty-common:4.1.35.Final that calls the risk method.
CVE-2021-21290
The scope of this CVE affected version is [4.0.0.Final, 4.1.59.Final)
After further analysis, in this project, the main Api called is <io.netty.util.internal.NativeLibraryLoader: void load(java.lang.String,java.lang.ClassLoader)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.