Skip to content

Commit

Permalink
Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper…
Browse files Browse the repository at this point in the history
…. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves #3474. (#3475)

Signed-off-by: David Venable <dlv@amazon.com>
  • Loading branch information
dlvenable authored Oct 10, 2023
1 parent a79cc54 commit d3179f0
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 4 deletions.
20 changes: 16 additions & 4 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ subprojects {
}
dependencies {
implementation platform('com.fasterxml.jackson:jackson-bom:2.15.0')
implementation platform('org.eclipse.jetty:jetty-bom:11.0.16')
implementation platform('org.eclipse.jetty:jetty-bom:11.0.17')
implementation platform('io.micrometer:micrometer-bom:1.10.5')
implementation libs.guava.core
implementation libs.slf4j.api
Expand Down Expand Up @@ -152,6 +152,18 @@ subprojects {
}
because 'CVE from transitive dependencies'
}
implementation('org.eclipse.jetty:http2-common') {
version {
require '11.0.17'
}
because 'Fixes CVE-2023-44487'
}
implementation('org.eclipse.jetty:http2-server') {
version {
require '11.0.17'
}
because 'Fixes CVE-2023-44487'
}
implementation('org.xerial.snappy:snappy-java') {
version {
require '1.1.10.5'
Expand Down Expand Up @@ -195,10 +207,10 @@ subprojects {
resolutionStrategy.eachDependency { def details ->
if (details.requested.group == 'io.netty') {
if (details.requested.name == 'netty') {
details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.96.Final'
// replace with your desired version
details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.100.Final'
details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
} else if (!details.requested.name.startsWith('netty-tcnative')) {
details.useVersion '4.1.96.Final'
details.useVersion '4.1.100.Final'
details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
}
} else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.yaml') {
details.useVersion '2.0'
} else if (details.requested.group == 'org.apache.tomcat.embed') {
details.useVersion '10.1.14'
details.because('Fixes CVE-2023-44487')
}
}
}
Expand Down

0 comments on commit d3179f0

Please sign in to comment.