[Java] Upgrade Netty due to CVE #36209

BryanCutler · 2023-06-21T18:06:59Z

Describe the bug, including details regarding any error messages, version, and platform.

CVE GHSA-6mjq-h674-j845 fixed in Netty 4.1.94.Final

I don't think this relates to Arrow usage with Netty, but there is an API change that Arrow is not compatible with and needs a patch.

Component(s)

Java

### Rationale for this change Upgrading Netty dependency due to CVE GHSA-6mjq-h674-j845 This also requires a patch to arrow-memory ### What changes are included in this PR? Upgrading Netty, gRPC and Protobuf dependencies ### Are these changes tested? Existing tests ### Are there any user-facing changes? No **This PR contains a "Critical Fix".** netty-handler SniHandler 16MB allocation The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. GHSA-6mjq-h674-j845 * Closes: #36209 Authored-by: Bryan Cutler <cutlerb@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com>

…pache#36211) Upgrading Netty dependency due to CVE GHSA-6mjq-h674-j845 This also requires a patch to arrow-memory Upgrading Netty, gRPC and Protobuf dependencies Existing tests No **This PR contains a "Critical Fix".** netty-handler SniHandler 16MB allocation The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. GHSA-6mjq-h674-j845 * Closes: apache#36209 Authored-by: Bryan Cutler <cutlerb@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com>

…pache#36211) (#27) * apacheGH-36209: [Java] Upgrade Netty due to security vulnerability (apache#36211) Upgrading Netty dependency due to CVE GHSA-6mjq-h674-j845 This also requires a patch to arrow-memory Upgrading Netty, gRPC and Protobuf dependencies Existing tests No **This PR contains a "Critical Fix".** netty-handler SniHandler 16MB allocation The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. GHSA-6mjq-h674-j845 * Closes: apache#36209 Authored-by: Bryan Cutler <cutlerb@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com> * Restore jackson version. --------- Signed-off-by: David Li <li.davidm96@gmail.com> Co-authored-by: Bryan Cutler <cutlerb@gmail.com>

* apacheGH-36209: [Java] Upgrade Netty due to security vulnerability (apache#36211) Upgrading Netty dependency due to CVE GHSA-6mjq-h674-j845 This also requires a patch to arrow-memory Upgrading Netty, gRPC and Protobuf dependencies Existing tests No **This PR contains a "Critical Fix".** netty-handler SniHandler 16MB allocation The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. GHSA-6mjq-h674-j845 * Closes: apache#36209 Authored-by: Bryan Cutler <cutlerb@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com> * Restore jackson version. * Use local based ccache for Mac build instead of sscache. --------- Signed-off-by: David Li <li.davidm96@gmail.com> Co-authored-by: Bryan Cutler <cutlerb@gmail.com>

zhfeng · 2023-06-30T08:22:42Z

Hi @lidavidm @BryanCutler , is there any plan to backport this fix to 10.0.x?

lidavidm · 2023-06-30T11:56:29Z

@zhfeng not at the moment. You can discuss on dev@arrow.apache.org (https://arrow.apache.org/community/) but so far I don't think we will even backport to 12.0.x.