prebid-server-java icon indicating copy to clipboard operation
prebid-server-java copied to clipboard
verified publisher icon prebid

Pin netty-handler for CVE-2025-24970

Open JimTharioAmazon opened this issue 9 months ago โ€ข 3 comments

๐Ÿ”ง Type of changes

  • [ ] new bid adapter
  • [ ] bid adapter update
  • [ ] new feature
  • [ ] new analytics adapter
  • [ ] new module
  • [ ] module update
  • [ ] bugfix
  • [ ] documentation
  • [ ] configuration
  • [X] dependency update
  • [ ] tech debt (test coverage, refactorings, etc.)

โœจ What's the context?

This is for https://nvd.nist.gov/vuln/detail/CVE-2025-24970. netty-handler <4.1.118.Final has a high vulnerability related to SSL handling. vert.x >=4.5.13 pulls in this patched version of netty-handler, but a vert.x upgrade is a wider-reaching change. This is a pin for the fixed version of netty-handler only until a larger upgrade can be undertaken.

๐Ÿง  Rationale behind the change

This is a smaller and targeted pin for the patched version of netty-handler only versus attempting an larger upgrade to vert.x for the same CVE. No compatibility issues observed with netty-handler 4.1.118.Final.

๐Ÿ”Ž New Bid Adapter Checklist

  • [ ] verify email contact works
  • [ ] NO fully dynamic hostnames
  • [ ] geographic host parameters are NOT required
  • [ ] direct use of HTTP is prohibited - implement an existing Bidder interface that will do all the job
  • [ ] if the ORTB is just forwarded to the endpoint, use the generic adapter - define the new adapter as the alias of the generic adapter
  • [ ] cover an adapter configuration with an integration test

๐Ÿงช Test plan

Unit tests (mvn test) and functional tests (mvn verify) pass.

๐ŸŽ Quality check

  • [y] Are your changes following our code style guidelines?
  • [n] Are there any breaking changes in your code?
  • [-] Does your test coverage exceed 90%?
  • [n] Are there any erroneous console logs, debuggers or leftover code in your changes?

JimTharioAmazon avatar Mar 31 '25 18:03 JimTharioAmazon

Hi, @JimTharioAmazon . Looks like this PR will be absorbed by the bigger dependency bump: https://github.com/prebid/prebid-server-java/pull/3906 We were finally able to solve the issue with VertX dependency bup. If we won't find performance degradation or other issues, that PR will be merged and effectively close that vulnerability.

Net-burst avatar Apr 11 '25 14:04 Net-burst

Thanks for the update. Good news. Let me know if/when I should close this one.

JimTharioAmazon avatar Apr 11 '25 17:04 JimTharioAmazon

Thanks for the update. Good news. Let me know if/when I should close this one.

Yeah, I'll close this PR once we are sure that major version bump didn't break anything. Let's keep this PR open just in case.

Net-burst avatar Apr 11 '25 18:04 Net-burst

@Net-burst does this PR still make sense to keep open?

osulzhenko avatar Apr 25 '25 07:04 osulzhenko

@Net-burst does this PR still make sense to keep open?

Nope. I totally forgot to close it. This was implemented in a wide-scale https://github.com/prebid/prebid-server-java/pull/3906 . Closing this issue.

Net-burst avatar May 12 '25 12:05 Net-burst