search

vert-x3 / issues

Apache License 2.0
37 stars 7 forks source link

CVE-2022-41915 #607

Closed neterium closed 1 year ago

neterium commented 1 year ago

Describe the feature

Patchable vulnerability

Contribution

Should upgrade netty to 4.1.86.Final to fix this patchable vulnerability :

https://nvd.nist.gov/vuln/detail/CVE-2022-41915

vietj commented 1 year ago

we have already upgraded and will release this week.

Note that vertx is not affected by this CVE because we use the Netty class in Vert.x HTTP server request and client responses which are never written to an output. Vert.x HTTP server response and client request are implemented by Vert.x itself instead.

vietj commented 1 year ago 
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ vertx-core ---
[INFO] io.vertx:vertx-core:jar:4.3.7-SNAPSHOT
[INFO] +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-handler:jar:4.1.86.Final:compile
[INFO] |  +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] |  \- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-handler-proxy:jar:4.1.86.Final:compile
[INFO] |  \- io.netty:netty-codec-socks:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec-http:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec-http2:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-resolver:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-resolver-dns:jar:4.1.86.Final:compile
[INFO] |  \- io.netty:netty-codec-dns:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-codec-haproxy:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport-native-epoll:jar:4.1.86.Final:compile
[INFO] |  \- io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:compile
[INFO] +- io.netty:netty-transport-native-kqueue:jar:4.1.86.Final:compile
[INFO] |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.14.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.0:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.14.0:compile