Update the Netty to latest version greater than 4.1.68.Final to remove the vulnerabilities CVE-2021-37136, CVE-2021-37137

[lokeshmittal10]

Describe the bug Currently Finagle library has Netty version as 4.1.66.Final which is vulnerable with CVE-2021-37136, CVE-2021-37137. To remove these vulnerabities Netty version should be >= 4.1.68.Final. So for this finagle library should be updated with netty version >= 4.1.68.Final.

To Reproduce Steps to reproduce the behavior:

1. Scan the docker image with twistcli (https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images)
2. In the report of scan the above CVE-2021-37136, CVE-2021-37137 vulnerabities will be seen . For reference attaching the screenshot.

Expected behavior In the scan report CVE-2021-37136, CVE-2021-37137 should not be there

Screenshots Scan report with CVE-2021-37136, CVE-2021-37137 is attached.

Environment All

Additional context Add any other context about the problem here.

[lokeshmittal10]

Please provide the estimate till when this can be done ?

[tigerlily-he]

Hi @lokeshmittal10, Thanks for bringing up these CVE's to our attention. We typically upgrade Netty every 3 months. I'm working on a upgrading Netty to 4.1.70.Final. I see that 4.1.72.Final was released a few days ago so I'll try that too. The process requires updating Netty internally at Twitter and making sure that internal tools and services aren't impacted.

[lokeshmittal10]

Hi @tigerlily-he : Thanks for the response. Just wondering that according to https://github.com/twitter/finagle/releases the previous upgrade was done on 2nd Oct 2021 in finagle. So it means next Netty upgrade in Finagle will come after 3 months ie. January 2022 right?

[tigerlily-he]

Hi @lokeshmittal10, Yes we're upgrading Netty in January 2022. Sorry for the delay in response over the holidays.

[lokeshmittal10]

Hi @tigerlily-he , No problem . Thanks for the response and confirmation!

[lokeshmittal10]

Hi @tigerlily-he : Can you please tell what is the expected date for this release?

[tigerlily-he]

The January release was on Jan 18th, 2022. The expected date for the next release, which should include the Netty upgrade, is middle to end of February. I'm aiming to finish and land the Netty upgrade by the end of January.

[lokeshmittal10]

Thanks for the update.

[balavenkata]

@tigerlily-he hi, Just checking to see if there was an update (Lokesh, who raised this issue, is in my team). Thank you & good day

[tigerlily-he]

Hi @balavenkata, Very sorry this upgrade is taking longer than expected. The Netty upgrade is under code review. I noticed CPU increased when I was testing with an internal service. I am running additional tests to make sure that the Netty upgrade doesn't cause CPU utilization and throttling increase.

[tigerlily-he]

Hi @lokeshmittal10 and @balavenkata, The Netty upgrade to 4.1.73 has landed. https://github.com/twitter/finagle/commit/cccbae40f6139eb15009d5dfc1f4c47ddba15862

[lokeshmittal10]

@tigerlily-he : Great and thanks for the update! But the last finagle version i can see is 22.1.0 released on 19th January. Is the finagle version with netty upgrade changes has been released or not? If not then when it will be released ?

[mosesn]

@lokeshmittal10 we're planning on doing the release by the end of the month. We deferred the release so that we could update Netty for you :)

[tigerlily-he]

If you want to use the nightly SNAPSHOT version of Finagle, you can use version 22.2.0-SNAPSHOT to get the most up-to-date changes.

For example, finagle-core: https://oss.sonatype.org/content/repositories/snapshots/com/twitter/finagle-core_2.13/22.2.0-SNAPSHOT/

[lokeshmittal10]

Thanks @mosesn and @tigerlily-he for the updates :)

[lokeshmittal10]

@mosesn @tigerlily-he : Any updates for this release ?

[tigerlily-he]

@lokeshmittal10 The 22.2.0 release is out: https://github.com/twitter/finagle/releases/tag/finagle-22.2.0

[lokeshmittal10]

@tigerlily-he : thanks

[kumarbairesh]

@tigerlily-he @mosesn The Finagle version of 22.12.0 does it have the netty version 4.1.86.Final ?? Because the following CVE's are fixed in this netty version, Can you help which version of netty is present in the latest Finagle?? CVE ID: CVE-2022-41881 CVSS score: 7.5 Description: Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.