Closed amaciejk closed 1 year ago
Note that in latest logstash 8.6.0 / logstash-input-tcp-6.3.1 plugin these vuls are still being found and we are also hitting CVE-2022-41881 so netty needs to go to 4.1.86 (current latest).
Previous PR to bump netty was: https://github.com/logstash-plugins/logstash-input-tcp/pull/179
@andsel
Thank you for your report.
Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
logstash 8.3.3 (current latest) still uses older 4.1.65 netty via logstash-input-tcp-6.3.0 plugin:
As this version of netty is vulnerable to: CVE-2021-37136 CVE-2021-37137
can it please be bumped from netty-all-4.1.65.Final.jar to at least netty-all-4.1.68.Final.jar in: https://github.com/logstash-plugins/logstash-input-tcp/blob/main/build.gradle#L46 ?