Ktor: Bump Netty version to mitigate CVE-2020-11612

Created on 9 Apr 2020 · 5Comments · Source: ktorio/ktor

As per https://nvd.nist.gov/vuln/detail/CVE-2020-11612, there is a known vulnerability with the current Netty version used by ktor - 4.1.44.Final

I'll raise a PR to bump to 4.1.48.Final

bug

Source

alexburlton-sonocent

👍2

Most helpful comment

Is this CVE not relevant when using ktor or am I missing something?
It strikes me as a bit odd to leave a fix for a 'score critical' CVE laying around for a month if it can easily be solved by bumping a version?

xcq1 on 13 May 2020

👍4

All 5 comments

xcq1 on 13 May 2020

👍4

Any progress on this :) ? We would appreciate the CVE fix here, too... Thank you :)

mmuth on 12 Jun 2020

There is a workaround whilst my PR remains outstanding - you can force the resolution yourself in your build.gradle:

configurations.all {
    resolutionStrategy {
        // To be deleted when issue https://github.com/ktorio/ktor/pull/1779 is released and we bump ktor
        force("io.netty:netty-codec-http2:4.1.48.Final")
        force("io.netty:netty-transport-native-kqueue:4.1.48.Final")
        force("io.netty:netty-transport-native-epoll:4.1.48.Final")
        force("io.netty:netty-codec-http:4.1.48.Final")
        force("io.netty:netty-handler:4.1.48.Final")
        force("io.netty:netty-codec:4.1.48.Final")
        force("io.netty:netty-transport:4.1.48.Final")
        force("io.netty:netty-transport:4.1.48.Final")
        force("io.netty:netty-buffer:4.1.48.Final")
        force("io.netty:netty-resolver:4.1.48.Final")
        force("io.netty:netty-common:4.1.48.Final")
    }
}

Not ideal to have to maintain that, of course, but it will at least patch the CVE in your application and make the OWASP check go green if you've automated it someplace :smile:

alexburlton-sonocent on 12 Jun 2020

👍2

Please check the following ticket on YouTrack for follow-ups to this issue. GitHub issues will be closed in the coming weeks.