Vulnerability: Man-in-the-Middle (MitM) #10806

superalb21234 · 2020-11-17T16:12:55Z

Expected behavior

Actual behavior

netty-handler is vulnerable to man-in-the-middle attacks. The library uses an SSLEngine that does not verify certificate hostnames when establishing connections with clients by default. This allows an attacker to potentially intercept and modify network traffic in a successful man-in-the-middle attack.

Steps to reproduce

Minimal yet complete reproducer code (or URL to code)

Netty version

Latest version still has this vulnerability

JVM version (e.g. `java -version`)

OS version (e.g. `uname -a`)

The text was updated successfully, but these errors were encountered:

superalb21234 · 2020-11-17T16:15:58Z

is there a possible future fix for this vulnerability issue?
FYI: using veracode platform to find some vulnerabilities in the application

hyperxpro · 2020-11-17T19:39:35Z

Duplicate of #10362 #9930.

This issue will not be fixed in Netty 4.1.X. It's already scheduled for Netty 5.X in #8537.

normanmaurer · 2020-11-19T07:07:57Z

Yes as stated we will change this in netty 5.

normanmaurer closed this as completed Nov 19, 2020

aaron-steinfeld mentioned this issue Nov 25, 2020

chore: update snyk ignores hypertrace/entity-service#49

Merged

2 tasks

github-actions bot mentioned this issue Jan 10, 2022

Improper Certificate Validation SNYK-JAVA-IONETTY-1042268 RADAR-base/radar-output-restructure#513

Closed

abstractj mentioned this issue Apr 8, 2022

Suppress Snyk false positives keycloak/keycloak#11203

Closed

abstractj mentioned this issue Jun 22, 2022

CWE-295 - Improper Certificate Validation vulnerability in io.netty:netty-handler keycloak/keycloak#12663

Closed

This was referenced Oct 19, 2022

Enabling hostname verification by default keycloak/keycloak#15028

Closed

Suppress Snyk alerts related with Netty keycloak/keycloak#15066

Closed

github-actions bot mentioned this issue Jan 9, 2023

Improper Certificate Validation SNYK-JAVA-IONETTY-1042268 RADAR-base/radar-output-restructure#541

Open

twistedpair mentioned this issue Apr 28, 2023

[Netty 5] Enable hostname verification by default #8537

Closed

cesaroangelo mentioned this issue Sep 21, 2023

Fix for CVE 2023-34455 linkedin/cruise-control#2060

Merged

Morl99 mentioned this issue Oct 24, 2023

Vulnerability CVE-2023-4586 was found in sts-2.21.5.jar aws/aws-sdk-java-v2#4630

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability: Man-in-the-Middle (MitM) #10806

Vulnerability: Man-in-the-Middle (MitM) #10806

superalb21234 commented Nov 17, 2020

superalb21234 commented Nov 17, 2020

hyperxpro commented Nov 17, 2020

normanmaurer commented Nov 19, 2020

Vulnerability: Man-in-the-Middle (MitM) #10806

Vulnerability: Man-in-the-Middle (MitM) #10806

Comments

superalb21234 commented Nov 17, 2020

Expected behavior

Actual behavior

Steps to reproduce

Minimal yet complete reproducer code (or URL to code)

Netty version

JVM version (e.g. java -version)

OS version (e.g. uname -a)

superalb21234 commented Nov 17, 2020

hyperxpro commented Nov 17, 2020

normanmaurer commented Nov 19, 2020

JVM version (e.g. `java -version`)

OS version (e.g. `uname -a`)