Hi, even the latest version in 2.x of java client sdk for couchbase have following io.netty:netty-all vulnerabilities:
CVE-2019-16869
CVE-2019-20445
CVE-2019-20444
Could we please upgrade the io.netty:netty-all:4.0.56.Final dependencies to a safer version (i.e > 4.1.45.Final) in com.couchbase.client:core-io ?
Moving to sdk 3.x is a bigger effort for us, and we have a future plan for that.
created this for tracking: https://issues.couchbase.com/browse/JVMCBC-838
Thank you.
M
We are going to update the netty dependency in the next release, I closed your JVMCBC and linked to the correct one. Thanks!
Thank you for taking this in the next release.
Also, could you please share the new JVMCBC or any where we can check the status of this; that would help us in planning our release/hotfix for our applications.
I linked it in your JVMCBC: https://issues.couchbase.com/browse/JVMCBC-829
I’m not able to view " JVMCBC-829".
What is the estimated next release date.
Currently planned for 7th april 2020
Hi @daschl,
I am also facing the same vulnerability issue. Any update on the new 2.x version with the fix
The maintenance patch was published today before you asked about it, and the release notes cover that this issue was resolved.
We should also note that if you read the CVEs, the exploits are if you use Netty to open a webserver. Netty has a lot of functionality, and this particular functionality is not used in the dependency inside the Couchbase SDK, which is shadowed into a separate namespace. If you’re using this functionality in your own apps, it’d come from a separate netty.io package namespace. So, in many ways, it’s a theoretical exploit that you are in control of-- if you’re using the com.couchbase.client.deps packages directly from your app, please don’t and then you can’t run into the exploits.
All of that said, we know you want security scans to pass clean, which is why we updated it.