drill icon indicating copy to clipboard operation
drill copied to clipboard

Published 20 hours ago verified publisher icon apache

CVE-2022-24823: Upgrade to Netty v.4.1.77.Final

Open ssainz opened this issue 2 years ago • 2 comments

Describe the bug CVE-2022-24823 in Netty .4.1.73.Final.

This will also help us catch https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1

To Reproduce Steps to reproduce the behavior:

  1. Check Apache Drill pom.xml file: https://github.com/apache/drill/blob/master/pom.xml#L123 It ships the netty v4.1.73.
  2. Read through : https://nvd.nist.gov/vuln/detail/CVE-2022-24823 for more details why v4.1.73. is vulnerable

Expected behavior Drill to use 4.1.77

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context Add any other context about the problem here.

ssainz avatar May 19 '22 15:05 ssainz

Thank you for this. However, per the CVE, "This only impacts applications running on Java version 6 and lower." Drill requires Java 8 as a minimum version. We should still update this, but I don't think there is an urgency to do so.

cgivre avatar May 19 '22 15:05 cgivre

I agree not urgent, thanks for the perspective @cgivre !

ssainz avatar May 19 '22 15:05 ssainz