Update netty-3.10.6.Final (vulnerable)

[mariusssi]

netty-3.10.6.Final.jar has known reported vulnerabilities (CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409), some critical, and is still being used in pinpoint-agent-2.2.2. Can it be updated ? Alternatively, what would be the impact of removing this jar in an older agent, 1.8.5?

[emeroad]

In my opinion, there won't be any problems.

1. Pinpoint does not use HTTP protocol of Netty 3.x. Netty 3.x is used for thrift-rpc , it is implemented in pure TCP

   • It seems to be a vulnerability in Netty 4.x. I don't know how much it affects netty3.x.

2. Generally, the agent and collector are installed in internal network, so the risk is low.

3. gRpc protocol (netty4.x) may be affected. The latest version of the collector is recommended

Request smuggling vulnerability seems to be a problem with the http server. The agent doesn't seem to be the target of the attack.

[mariusssi]

I tried deploying without the netty jar, but Pinpoint RPC failed to be initialized (and it's true io.netty is a dependency in it)

Caused by: java.lang.NoClassDefFoundError: org/jboss/netty/channel/socket/nio/WorkerPool
at pinpoint.agent/pinpoint.agent/com.navercorp.pinpoint.rpc.ClassPreLoader.preload(ClassPreLoader.java:46) ...
Caused by: java.lang.ClassNotFoundException: org.jboss.netty.channel.socket.nio.WorkerPool...

This WorkerPool (and other classes from org/jboss/netty/channel/) appear in pinpoint-rpc.jar So it doesn't look to be removable.

[emeroad]

Do not remove netty-3.x. It is used in pinpoint agent