pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard
verified publisher icon apache

[fix][sec] Upgrade Vertx to 4.5.7 to address CVE-2024-1300

Open lhotari opened this issue 1 year ago • 1 comments

Motivation

  • address CVE-2024-1300

Modifications

  • upgrade Vertx to 4.5.7 (this requires Netty 4.1.108.Final, failures will be at runtime with BK Vertx usage for HTTP admin API unless Netty 4.1.108.Final is used)

Documentation

  • [ ] doc
  • [ ] doc-required
  • [x] doc-not-needed
  • [ ] doc-complete

lhotari avatar Apr 04 '24 12:04 lhotari

It looks like jetcd has a dependency to vertx.

  java.lang.NoSuchMethodError: 'io.vertx.core.net.impl.transport.Transport io.vertx.core.impl.VertxInternal.transport()'
  	at io.vertx.grpc.VertxChannelBuilder.build(VertxChannelBuilder.java:298)
  	at io.etcd.jetcd.impl.ClientConnectionManager.getChannel(ClientConnectionManager.java:89)
  	at io.etcd.jetcd.impl.ClientConnectionManager.newStub(ClientConnectionManager.java:121)
  	at io.etcd.jetcd.impl.KVImpl.<init>(KVImpl.java:51)
  	at io.etcd.jetcd.impl.ClientImpl.lambda$new$0(ClientImpl.java:48)
  	at io.etcd.jetcd.support.MemorizingClientSupplier.get(MemorizingClientSupplier.java:37)
  	at io.etcd.jetcd.impl.ClientImpl.getKVClient(ClientImpl.java:65)
  	at org.apache.pulsar.metadata.impl.EtcdMetadataStore.<init>(EtcdMetadataStore.java:111)
  	at org.apache.pulsar.metadata.impl.EtcdMetadataStoreProvider.create(EtcdMetadataStore.java:515)
  	at org.apache.pulsar.metadata.impl.MetadataStoreFactoryImpl.newInstance(MetadataStoreFactoryImpl.java:63)
  	at org.apache.pulsar.metadata.impl.MetadataStoreFactoryImpl.createExtended(MetadataStoreFactoryImpl.java:50)
  	at org.apache.pulsar.metadata.api.extended.MetadataStoreExtended.create(MetadataStoreExtended.java:42)
  	at org.apache.pulsar.metadata.bookkeeper.BKCluster.<init>(BKCluster.java:134)
  	at org.apache.pulsar.metadata.bookkeeper.BKCluster$BKClusterConf.build(BKCluster.java:118)
  	at org.apache.pulsar.broker.EmbeddedPulsarCluster.<init>(EmbeddedPulsarCluster.java:66)
  	at org.apache.pulsar.broker.EmbeddedPulsarCluster$EmbeddedPulsarClusterBuilder.build(EmbeddedPulsarCluster.java:55)
  	at org.apache.pulsar.broker.EndToEndMetadataTest.testPublishConsume(EndToEndMetadataTest.java:67)
  	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
  	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
  	at org.testng.internal.invokers.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:139)
  	at org.testng.internal.invokers.InvokeMethodRunnable.runOne(InvokeMethodRunnable.java:47)
  	at org.testng.internal.invokers.InvokeMethodRunnable.call(InvokeMethodRunnable.java:76)
  	at org.testng.internal.invokers.InvokeMethodRunnable.call(InvokeMethodRunnable.java:11)
  	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
  	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
  	at java.base/java.lang.Thread.run(Thread.java:840)

newest jetcd-grpc 0.7.7 would be compatible, but that depends on grpc 1.60.0 which isn't compatible with the grpc version in Bookkeeper and Pulsar. We cannot upgrade grpc until it has first been upgraded in Bookkeeper and only after that in Pulsar.

lhotari avatar Apr 04 '24 14:04 lhotari