Vulnerability found in io.netty:netty-all

Question

Vulnerability found in io.netty:netty-all

schubon opened this issue 5 years ago · comments

Details

CVE-2019-16869

Vulnerable versions: < 4.1.42
Patched version: 4.1.42

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

Remediation

Upgrade io.netty:netty-all to version 4.1.42 or later. For example:

<dependency>
  <groupId>io.netty</groupId>
  <artifactId>netty-all</artifactId>
  <version>[4.1.42,)</version>
</dependency>

Always verify the validity and compatibility of suggestions with your codebase.

Ahmad Nouri · Answer 1 · Thu Nov 14 2019 19:14:51 GMT+0800 (China Standard Time)

The pom.xml of streamsx.hbase has been adapted.
The jar library netty-all-4.0.52.Final.jar upgraded to netty-all-4.1.42.Final.jar .

Ahmad Nouri · Answer 2 · Mon Nov 25 2019 22:48:27 GMT+0800 (China Standard Time)

Correction delivered in stremsx.hbase version 3.8.1
https://github.com/IBMStreams/streamsx.hbase/releases/tag/v3.8.1

Norbert Schulz · Answer 3 · Wed Jan 08 2020 17:06:22 GMT+0800 (China Standard Time)

As there is an appropriate release ... => closed