Open mariusssi opened 3 years ago
In my opinion, there won't be any problems.
Pinpoint does not use HTTP protocol of Netty 3.x. Netty 3.x is used for thrift-rpc , it is implemented in pure TCP
Generally, the agent and collector are installed in internal network, so the risk is low.
gRpc protocol (netty4.x) may be affected. The latest version of the collector is recommended
Request smuggling vulnerability seems to be a problem with the http server. The agent doesn't seem to be the target of the attack.
I tried deploying without the netty jar, but Pinpoint RPC failed to be initialized (and it's true io.netty is a dependency in it)
Caused by: java.lang.NoClassDefFoundError: org/jboss/netty/channel/socket/nio/WorkerPool
at pinpoint.agent/pinpoint.agent/com.navercorp.pinpoint.rpc.ClassPreLoader.preload(ClassPreLoader.java:46) ...
Caused by: java.lang.ClassNotFoundException: org.jboss.netty.channel.socket.nio.WorkerPool...
This WorkerPool (and other classes from org/jboss/netty/channel/) appear in pinpoint-rpc.jar So it doesn't look to be removable.
Do not remove netty-3.x. It is used in pinpoint agent
netty-3.10.6.Final.jar has known reported vulnerabilities (CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409), some critical, and is still being used in pinpoint-agent-2.2.2. Can it be updated ? Alternatively, what would be the impact of removing this jar in an older agent, 1.8.5?