Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-41881 in shaded netty in micrometer-registry-statsd #3571

Closed
idotobi opened this issue Dec 20, 2022 · 5 comments
Closed

CVE-2022-41881 in shaded netty in micrometer-registry-statsd #3571

idotobi opened this issue Dec 20, 2022 · 5 comments
Labels
invalid An issue that we don't feel is valid

Comments

@idotobi
Copy link

idotobi commented Dec 20, 2022

Describe the bug
According to the owasp-dependency check there is a new CVE in the shadded netty dependency.

  Vulnerability IDs Package Highest Severity CVE Count Confidence Evidence Count
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-buffer:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-buffer@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-codec-dns:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-codec-dns@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-codec-socks:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-codec-socks@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-codec:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-codec@4.1.84.Final HIGH 2 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-common:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-common@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-handler-proxy:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-handler-proxy@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-handler:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-handler@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-resolver-dns-classes-macos:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-resolver-dns-classes-macos@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-resolver-dns-native-macos:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-resolver-dns-native-macos@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-resolver-dns:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-resolver-dns@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-resolver:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-resolver@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-transport-classes-epoll:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-transport-classes-epoll@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-transport-native-epoll:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-transport-native-epoll@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-transport-native-unix-common:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-transport-native-unix-common@4.1.84.Final HIGH 1 Highest 9
micrometer-registry-statsd-1.10.2.jar (shaded: io.netty:netty-transport:4.1.84.Final) cpe:2.3:a:netty:netty:4.1.84:::::::* pkg:maven/io.netty/netty-transport@4.1.84.Final HIGH 1 Highest 9

Environment

  • Micrometer version: 1.10.2
  • Micrometer registry: statsd
  • OS: Ubuntu
  • Java version: 11

To Reproduce
Run owasp-dependency-check on a project with micrometer as a dependency.

Expected behavior
No vulnerabilities found.

Additional context
Add any other context about the problem here, e.g. related issues.
@shakuzen
Copy link
Member

CVE-2022-41881 is for the io.netty.codec:codec-haproxy module, which we do not shade in micrometer-registry-statsd. It looks like there is an issue with the dependency checker that it is considering ANY netty module vulnerable, when that is not the case. This is a false positive and should be fixed by the dependency checker to only flag things that contain the affected module. Let me know if I've missed something.

@shakuzen shakuzen added invalid An issue that we don't feel is valid and removed waiting-for-triage labels Dec 21, 2022
@idotobi
Copy link
Author

idotobi commented Dec 21, 2022

@shakuzen : Thank you for your quick reply 🙇
Your assessment looks correct to me.
Seems like there was a translation error when the CVE got published

@idotobi
Copy link
Author

idotobi commented Dec 21, 2022

Sorry for the noise / raising a false-positive.

@shakuzen
Copy link
Member

No problem. I wonder where vulnerability scanners are sourcing their patterns of affected code. It would be nice if this could be made more precise going forward, since GitHub is publishing the more specific info. I'm not sure where is best to attack the problem.

@candrews
Copy link

I submitted an MR to address these false positives in the GitLab Advisory Database: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/21374

@jonatan-ivanov jonatan-ivanov mentioned this issue Jan 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@candrews @shakuzen @idotobi