sdk-java icon indicating copy to clipboard operation
sdk-java copied to clipboard
verified publisher icon temporalio

temporal java sdk is using an older version of grpc-netty-shaded with vulnerabilities

Open susie-oracle opened this issue 3 months ago • 6 comments

Expected Behavior

upgrade grpc-netty-shaded to 1.75.0

Actual Behavior

Steps to Reproduce the Problem

1.check dependencies of temporal java-sdk 1.https://www.cve.org/CVERecord?id=CVE-2025-55163 1.

Specifications

  • Version: 1.28.1, ..,1.31.0
  • Platform:

susie-oracle avatar Oct 07 '25 21:10 susie-oracle

A few points,

  1. This vulnerability does not apply to how the Java SDK uses netty since the Java SDK is only a client.

  2. If the issue is simply the vulnerability scan then you can update the version of gRPC the SDK uses. As part of our CI we test the Java SDK with the latest version of Java gRPC. Note, this is what we always recommend anyway.

Quinn-With-Two-Ns avatar Oct 07 '25 22:10 Quinn-With-Two-Ns

A few points,

  1. This vulnerability does not apply to how the Java SDK uses netty since the Java SDK is only a client.
  2. If the issue is simply the vulnerability scan then you can update the version of gRPC the SDK uses. As part of our CI we test the Java SDK with the latest version of Java gRPC. Note, this is what we always recommend anyway.

I think it might be helpful if this context and the recommendation were documented somewhere more formally. I found it here, and I also found it in this community thread, but might have saved me some time if it were more front and center. Maybe the README? There's already a note about Protobuf versions in there, so doesn't seem like it would be too out of place there? Just a thought.

mike706574 avatar Nov 12 '25 14:11 mike706574

Is there a plan to update temporal SDK to latest version of gRPC? Even if I update gRPC to v1.76., temporal SDK has dependencies on classes of gRPC v1.58. which are not in gRPC v.176.*

Vishal-Joshi avatar Dec 01 '25 14:12 Vishal-Joshi

@Vishal-Joshi please see the comment above. The Java SDK is fully compatible with the latest gRPC.

Quinn-With-Two-Ns avatar Dec 01 '25 18:12 Quinn-With-Two-Ns

@Vishal-Joshi please see the comment above. The Java SDK is fully compatible with the latest gRPC.

Thanks @Quinn-With-Two-Ns. I applied your fix and tested with gRPC 1.76.0 BOM

<dependency>
            <groupId>io.grpc</groupId>
            <artifactId>grpc-bom</artifactId>
            <version>1.76.0</version>
            <type>pom</type>
  </dependency>

But I see then our tests start to break as io.temporal:temporal-testing:jar:1.31.0 has some internal dependency

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.temporal.testing.TestWorkflowEnvironment]: Factory method 'testWorkflowEnvironment' threw exception with message: io/grpc/internal/AbstractServerImplBuilder
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
        ... 176 more
Caused by: java.lang.NoClassDefFoundError: io/grpc/internal/AbstractServerImplBuilder
        at java.base/java.lang.ClassLoader.defineClass1(Native Method)
        at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1027)
        at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
        at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
        at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)

It is not only testing. If I try to run the temporal managed by spring-boot v3.5.7, the application fails to start up with same error Temporal related dependencies in pom are

<dependency>
                <groupId>io.temporal</groupId>
                <artifactId>temporal-spring-boot-starter</artifactId>
                <version>1.31.0</version>
            </dependency>
            <dependency>
                <groupId>io.temporal</groupId>
                <artifactId>temporal-spring-boot-autoconfigure</artifactId>
                <version>1.31.0</version>
            </dependency>
            <dependency>
                <groupId>io.temporal</groupId>
                <artifactId>temporal-kotlin</artifactId>
                <version>1.31.0</version>
            </dependency>

	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:804)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:546)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1770)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1653)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:913)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	... 21 common frames omitted
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'temporalClientTemplate' defined in class path resource [io/temporal/spring/boot/autoconfigure/RootNamespaceAutoConfiguration.class]: Unsatisfied dependency expressed through method 'clientTemplate' parameter 0: Error creating bean with name 'temporalRootNamespaceTemplate' defined in class path resource [io/temporal/spring/boot/autoconfigure/RootNamespaceAutoConfiguration.class]: Unsatisfied dependency expressed through method 'rootNamespaceTemplate' parameter 1: Error creating bean with name 'temporalWorkflowServiceStubs' defined in class path resource [io/temporal/spring/boot/autoconfigure/ServiceStubsAutoConfiguration.class]: Failed to instantiate [io.temporal.serviceclient.WorkflowServiceStubs]: Factory method 'workflowServiceStubsTemplate' threw exception with message: io/grpc/internal/AbstractManagedChannelImplBuilder
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:804)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:546)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1770)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1653)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:913)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	... 35 common frames omitted
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'temporalRootNamespaceTemplate' defined in class path resource [io/temporal/spring/boot/autoconfigure/RootNamespaceAutoConfiguration.class]: Unsatisfied dependency expressed through method 'rootNamespaceTemplate' parameter 1: Error creating bean with name 'temporalWorkflowServiceStubs' defined in class path resource [io/temporal/spring/boot/autoconfigure/ServiceStubsAutoConfiguration.class]: Failed to instantiate [io.temporal.serviceclient.WorkflowServiceStubs]: Factory method 'workflowServiceStubsTemplate' threw exception with message: io/grpc/internal/AbstractManagedChannelImplBuilder
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:804)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:546)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1708)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1653)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:913)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	... 49 common frames omitted
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'temporalWorkflowServiceStubs' defined in class path resource [io/temporal/spring/boot/autoconfigure/ServiceStubsAutoConfiguration.class]: Failed to instantiate [io.temporal.serviceclient.WorkflowServiceStubs]: Factory method 'workflowServiceStubsTemplate' threw exception with message: io/grpc/internal/AbstractManagedChannelImplBuilder
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:254)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1770)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1653)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:913)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	... 62 common frames omitted
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.temporal.serviceclient.WorkflowServiceStubs]: Factory method 'workflowServiceStubsTemplate' threw exception with message: io/grpc/internal/AbstractManagedChannelImplBuilder
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
	... 76 common frames omitted
Caused by: java.lang.NoClassDefFoundError: io/grpc/internal/AbstractManagedChannelImplBuilder
	at java.base/java.lang.ClassLoader.defineClass1(Native Method)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:962)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:132)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:776)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:691)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:620)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:578)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:490)
	at io.temporal.serviceclient.ChannelManager.prepareChannel(ChannelManager.java:186)
	at io.temporal.serviceclient.ChannelManager.<init>(ChannelManager.java:98)
	at io.temporal.serviceclient.ChannelManager.<init>(ChannelManager.java:78)
	at io.temporal.serviceclient.WorkflowServiceStubsImpl.<init>(WorkflowServiceStubsImpl.java:64)
	at io.temporal.serviceclient.WorkflowServiceStubs.newServiceStubs(WorkflowServiceStubs.java:46)
	at io.temporal.serviceclient.WorkflowServiceStubs.newLocalServiceStubs(WorkflowServiceStubs.java:23)
	at io.temporal.spring.boot.autoconfigure.template.ServiceStubsTemplate.createServiceStubs(ServiceStubsTemplate.java:50)
	at io.temporal.spring.boot.autoconfigure.template.ServiceStubsTemplate.getWorkflowServiceStubs(ServiceStubsTemplate.java:38)
	at io.temporal.spring.boot.autoconfigure.ServiceStubsAutoConfiguration.workflowServiceStubsTemplate(ServiceStubsAutoConfiguration.java:51)
	at io.temporal.spring.boot.autoconfigure.ServiceStubsAutoConfiguration$$SpringCGLIB$$0.CGLIB$workflowServiceStubsTemplate$1(<generated>)
	at io.temporal.spring.boot.autoconfigure.ServiceStubsAutoConfiguration$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
	at io.temporal.spring.boot.autoconfigure.ServiceStubsAutoConfiguration$$SpringCGLIB$$0.workflowServiceStubsTemplate(<generated>)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
	... 79 common frames omitted
Caused by: java.lang.ClassNotFoundException: io.grpc.internal.AbstractManagedChannelImplBuilder
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:580)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:490)
	... 104 common frames omitted

Process finished with exit code 1

Vishal-Joshi avatar Dec 03 '25 10:12 Vishal-Joshi

I have resolved this issue by adding gRPC in "dependencyManagement" of maven with scope import.

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>io.grpc</groupId>
                <artifactId>grpc-bom</artifactId>
                <version>1.76.0</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

Vishal-Joshi avatar Dec 05 '25 09:12 Vishal-Joshi