Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper…

…. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves #3474. (#3475) Signed-off-by: David Venable <[email protected]>
opensearch-project · Oct 10, 2023 · d3179f0 · d3179f0
1 parent a79cc54
commit d3179f0
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/build.gradle b/build.gradle
@@ -89,7 +89,7 @@ subprojects {
     }
     dependencies {
         implementation platform('com.fasterxml.jackson:jackson-bom:2.15.0')
-        implementation platform('org.eclipse.jetty:jetty-bom:11.0.16')
+        implementation platform('org.eclipse.jetty:jetty-bom:11.0.17')
         implementation platform('io.micrometer:micrometer-bom:1.10.5')
         implementation libs.guava.core
         implementation libs.slf4j.api
@@ -152,6 +152,18 @@ subprojects {
                 }
                 because 'CVE from transitive dependencies'
             }
+            implementation('org.eclipse.jetty:http2-common') {
+                version {
+                    require '11.0.17'
+                }
+                because 'Fixes CVE-2023-44487'
+            }
+            implementation('org.eclipse.jetty:http2-server') {
+                version {
+                    require '11.0.17'
+                }
+                because 'Fixes CVE-2023-44487'
+            }
             implementation('org.xerial.snappy:snappy-java') {
                 version {
                     require '1.1.10.5'
@@ -195,10 +207,10 @@ subprojects {
         resolutionStrategy.eachDependency { def details ->
             if (details.requested.group == 'io.netty') {
                 if (details.requested.name == 'netty') {
-                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.96.Final'
-                    // replace with your desired version
+                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.100.Final'
+                    details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 } else if (!details.requested.name.startsWith('netty-tcnative')) {
-                    details.useVersion '4.1.96.Final'
+                    details.useVersion '4.1.100.Final'
                     details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 }
             } else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') {

diff --git a/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle b/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
@@ -27,6 +27,9 @@ configurations.all {
     resolutionStrategy.eachDependency { DependencyResolveDetails details ->
         if (details.requested.group == 'org.yaml') {
             details.useVersion '2.0'
+        } else if (details.requested.group == 'org.apache.tomcat.embed') {
+            details.useVersion '10.1.14'
+            details.because('Fixes CVE-2023-44487')
         }
     }
 }