search

vert-x3 / vertx-grpc

gRPC for Vert.x
78 stars 49 forks source link

Can we bump the jprotoc to 1.2.2 #150

Open xchen8421 opened 1 month ago

xchen8421 commented 1 month ago

Read me

Read this first before creating an issue:

Describe the feature

Give the simplest and best explanation.

Currently, we are using vert.x-grpc to implement our grpc service. We found out the following CVE issues.

 com.google.protobuf:protobuf-java                           │ CVE-2021-22569 │ HIGH     │        │ 3.15.8            │ 3.16.1, 3.18.2, 3.19.2         │ protobuf-java: potential DoS in the parsing procedure for   │
│ (vertx-grpc-protoc-plugin-4.5.9.jar)                        │                │          │        │                   │                                │ binary data                                                 │
│                                                             │                │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2021-22569                  │
│                                                             ├────────────────┤          │        │                   ├────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2022-3509  │          │        │                   │ 3.16.3, 3.19.6, 3.20.3, 3.21.7 │ protobuf-java: Textformat parsing issue leads to DoS        │
│                                                             │                │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2022-3509                   │
│                                                             ├────────────────┤          │        │                   │                                ├─────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2022-3510  │          │        │                   │                                │ protobuf-java: Message-Type Extensions parsing issue leads  │
│                                                             │                │          │        │                   │                                │ to DoS                                                      │
│                                                             │                │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2022-3510                   │
│                                                             ├────────────────┼──────────┤        │                   ├────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                             │ CVE-2022-3171  │ MEDIUM   │        │                   │ 3.21.7, 3.20.3, 3.19.6, 3.16.3 │ protobuf-java: timeout in parser leads to DoS               │
│                                                             │                │          │        │                   │                                │ https://avd.aquasec.com/nvd/cve-2022-3171                   │
└─────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────┴──────────────────────────────────────────────

We found that if we could bump the jprotoc to 1.2.2, it could resolve those HIGH CVEs, b/c it is use 3.22.2 protobuf-java.

Use cases

A list of use cases this feature will enable and the value it creates.

Contribution

Who should implement this feature ? are you volunteering for implementing this feature or do you know that is able and willing implement this feature ?

xchen8421 commented 2 weeks ago

Hi @vietj,

Could you help us on this?

Thanks in advance!