ZOOKEEPER-4469: Suppress OWASP false positives related to Netty TCNative

[eolivelli]

More context here:
https://issues.apache.org/jira/browse/ZOOKEEPER-4469

I am also updating the OWASP dependency check

[symat]

Are we absolutely sure we can simply skip these checks for the netty-tcnative library? Isn't this something we use through netty when we do ClientTLS or QuorumTLS?

I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes:

    <netty.version>4.1.73.Final</netty.version>
    <netty.tcnative.version>2.0.48.Final</netty.tcnative.version>

(...)

      <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-handler</artifactId>
        <version>${netty.version}</version>
        <exclusions>
          <exclusion>
            <groupId>io.netty</groupId>
            <artifactId>netty-tcnative-classes</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-transport-native-epoll</artifactId>
        <version>${netty.version}</version>
      </dependency>
      <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-tcnative</artifactId>
        <version>${netty.tcnative.version}</version>
      </dependency>
  

Some of these CVEs are actually quite scary (many affecting only the https admin api interface, but some can affect regular QuorumSSL and ClientSSL interfaces too, AFAICT).

I also don't really understand what the netty-tcnative-classes artifact is. It is not mentioned in the documentation I found about netty-tcnative: https://netty.io/wiki/forked-tomcat-native.html

[symat]

I see in the pom.xml file that we use a quite recent netty, but a very old netty-tcnative-classes

never mind, I see 2.0.48.Final is actually the latest netty-tcnative.

In this case I don't understand why these old CVEs appeared now. How can we get e.g. this one: https://nvd.nist.gov/vuln/detail/CVE-2015-2156
This should not be reported for 4.1.73.Final and this has nothing to do with netty-tcnative, AFAICT

Do we have some old netty on our classpath we should exclude?

[symat]

I checked the maven dependency tree, and we don't have any old netty on our class path. These CVEs should not have appeared. Maybe OWASP is mixing the netty-tcnative version with the regular netty version?

[nkalmar]

Yes, looks like it: https://www.giters.com/jeremylong/DependencyCheck/issues/3867

edit: here's the merged patch, owasp was fixed in 6.5.2: jeremylong/DependencyCheck#3865

[nkalmar]

Can we update owasp to latest 6.5.3? Will it cause any issues?

[nkalmar]

Unless we want to upgrade to latest owasp (6.5.3, we are on 5.3.0, so major version change is required) this is a +1 from me. It is a false positive, see previous comments.

[anmolnar]

@eolivelli @symat OWASP upgrade makes sense to me too.

[symat]

yeah... although even the latest OWASP version seems to find false positives:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check (default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290
[ERROR] zookeeper-jute-3.8.0-SNAPSHOT.jar: CVE-2021-29425, CVE-2021-28164, CVE-2021-34429

Here e.g. CVE-2021-43797 should affect only netty prior to 4.1.71.Final and we already have 4.1.73.Final. See: https://nvd.nist.gov/vuln/detail/CVE-2021-43797

Interesting that OWASP 6.5.3 found some additional CVEs. (e.g. CVE-2021-29425, etc) These should be investigated too.

[symat]

I think the nicest would be to update to the latest OWASP, then go through the reported CVEs one-by-one to see if they are really false positives.

[symat]

I tried again, purging my local CVE database this time before running the new OWASP check with latest OWASP 6.5.3. It still reports the same 11 netty and 3 other CVEs that I listed before.

[nkalmar]

That's a bummer, I double checked, this is a closed item in 6.5.2 milestone (one up from last item): https://github.com/jeremylong/DependencyCheck/milestone/38?closed=1

[symat]

OK, I double-checked all the CVE errors detected by the latest OWASP 6.5.3. All of these are false positive. Also I checked the maven dependency tree to make sure we don't have any old netty/jetty/commons-io jars on the claspath). I think we are good to go. But I recommend to still update to the latest OWASP version in our project and also suppress these CVEs below. (let's hope OWASP will be fixed later to produce less false positives)

• CVE-2021-43797 - fixed in netty 4.1.71 (we use 4.1.73)
• CVE-2019-16869 - fixed in netty 4.1.42 (we use 4.1.73)
• CVE-2015-2156 - fixed in netty 4.1.0 (we use 4.1.73)
• CVE-2021-37136 - fixed in netty 4.1.68 (we use 4.1.73)
• CVE-2014-3488 - fixed after netty 3.9.1 (we use 4.1.73)
• CVE-2021-37137 - fixed in netty 4.1.68 (we use 4.1.73)
• CVE-2019-20445 - fixed in netty 4.1.44 (we use 4.1.73)
• CVE-2019-20444 - fixed in netty 4.1.44 (we use 4.1.73)
• CVE-2021-21295 - fixed in netty 4.1.60 (we use 4.1.73)
• CVE-2021-21409 - fixed in netty 4.1.61 (we use 4.1.73)
• CVE-2021-21290 - fixed in netty 4.1.59 (we use 4.1.73)
• CVE-2021-29425 - fixed in commons-io 2.7 (we use 2.11)
• CVE-2021-28164 - fixed in jetty 9.4.39 (we use 9.4.43)
• CVE-2021-34429 - fixed in jetty 9.4.43 (we use 9.4.43)

[eolivelli]

I have updated the OWASP plugin to 6.5.3, but it does not reveal additional CVEs

@symat

[eolivelli]

@nkalmar please take another look

[eolivelli]

@symat I have run the checker locally several times, cleaning the local cache, but I haven't seen new CVEs reported

[symat]

interesting... I'm also unable now to reproduce the additional jetty and commins-io related false positives for some reason. Anyway, I think your PR is good and the mvn clean package -DskipTests dependency-check:check is successful for me now.

Let's merge this and go ahead with the RC...

[symat]

I merged this to the following branches:

• master
• branch-3.8.0
• branch-3.8
• branch-3.7
• branch-3.6

On branch 3.5 I don't see we use netty tcnative, at least we don't have it explicitly added in pom.xml. However, I see some other CVE errors on that branch. We will have to handle branch-3.5 with a separate Jira later (after the 3.8.0 release, when we prepare 3.5.10)

[nkalmar]

One of the devs at owasp clarified to me that this was only fixed for netty:netty artifact, and he also opened a new issue to fix it in other artifacts as well. So this is why we still see false positive in netty-tcnative.