CVE-2016-4970 (High) detected in netty-all-4.0.23.Final.jar

[mend-for-github-com]

CVE-2016-4970 - High Severity Vulnerability

Vulnerable Library - netty-all-4.0.23.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /ranger-hbase-plugin-shim/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.23.Final/netty-all-4.0.23.Final.jar

Dependency Hierarchy:

• hbase-server-2.0.2.jar (Root Library)
  • hadoop-hdfs-2.7.7.jar
    • ❌ netty-all-4.0.23.Final.jar (Vulnerable Library)

Found in HEAD commit: 3d8c1142c5739a45e8e562215c8c83915a44ee6c

Found in base branch: master

Vulnerability Details

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

Publish Date: 2017-04-13

URL: CVE-2016-4970

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970

Release Date: 2017-04-13

Fix Resolution (io.netty:netty-all): 4.0.37.Final

Direct dependency fix Resolution (org.apache.hbase:hbase-server): 2.0.3

---

⛑️ Automatic Remediation is available for this issue