Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data Prepper. Use Tomcat 10.1.14 in the example project. These changes fix CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves #3474. (#3475)

dlvenable · web-flow · commit d3179f09eb40 · 2023-10-10T16:33:25.000-07:00
Signed-off-by: David Venable &lt;dlv@amazon.com&gt;
diff --git a/build.gradle b/build.gradle
@@ -89,7 +89,7 @@ subprojects {
     }
     dependencies {
         implementation platform('com.fasterxml.jackson:jackson-bom:2.15.0')
-        implementation platform('org.eclipse.jetty:jetty-bom:11.0.16')
+        implementation platform('org.eclipse.jetty:jetty-bom:11.0.17')
         implementation platform('io.micrometer:micrometer-bom:1.10.5')
         implementation libs.guava.core
         implementation libs.slf4j.api
@@ -152,6 +152,18 @@ subprojects {
                 }
                 because 'CVE from transitive dependencies'
             }
+            implementation('org.eclipse.jetty:http2-common') {
+                version {
+                    require '11.0.17'
+                }
+                because 'Fixes CVE-2023-44487'
+            }
+            implementation('org.eclipse.jetty:http2-server') {
+                version {
+                    require '11.0.17'
+                }
+                because 'Fixes CVE-2023-44487'
+            }
             implementation('org.xerial.snappy:snappy-java') {
                 version {
                     require '1.1.10.5'
@@ -195,10 +207,10 @@ subprojects {
         resolutionStrategy.eachDependency { def details ->
             if (details.requested.group == 'io.netty') {
                 if (details.requested.name == 'netty') {
-                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.96.Final'
-                    // replace with your desired version
+                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.100.Final'
+                    details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 } else if (!details.requested.name.startsWith('netty-tcnative')) {
-                    details.useVersion '4.1.96.Final'
+                    details.useVersion '4.1.100.Final'
                     details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 }
             } else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') {
diff --git a/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle b/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
@@ -27,6 +27,9 @@ configurations.all {
     resolutionStrategy.eachDependency { DependencyResolveDetails details ->
         if (details.requested.group == 'org.yaml') {
             details.useVersion '2.0'
+        } else if (details.requested.group == 'org.apache.tomcat.embed') {
+            details.useVersion '10.1.14'
+            details.because('Fixes CVE-2023-44487')
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,9 @@ configurations.all {`
`27`	`27`	`resolutionStrategy.eachDependency { DependencyResolveDetails details ->`
`28`	`28`	`if (details.requested.group == 'org.yaml') {`
`29`	`29`	`details.useVersion '2.0'`
	`30`	`+ } else if (details.requested.group == 'org.apache.tomcat.embed') {`
	`31`	`+ details.useVersion '10.1.14'`
	`32`	`+ details.because('Fixes CVE-2023-44487')`
`30`	`33`	`}`
`31`	`34`	`}`
`32`	`35`	`}`