Upgrade io.netty:netty-codec-http2 dependency for the recent DoS vulnerability?

[ozooxo]

On Oct 10, 2023, there's a newly reported DoS vulnerability for io.netty:netty-codec-http2 , which is a dependency of io.grpc:grpc-netty -- https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-5953332

The fix is to upgrade to io.netty:netty-codec-http2 version 4.1.100.Final.

However, io.grpc:grpc-netty seems fixed the version to 4.1.97.Final

grpc-java/repositories.bzl

Line 29 in ccf9101

"io.netty:netty-codec-http2:4.1.97.Final",

$ gradle dependencies

+--- io.grpc:grpc-netty:1.58.0
|    +--- io.netty:netty-codec-http2:4.1.93.Final -> 4.1.97.Final (*)

Also realized that the recent 1.59.0 release doesn't include this version change.

What is the timeline to upgrade io.netty:netty-codec-http2 dependency?

[ejona86]

When using grpc-netty, you are free to depend on netty 4.1.100.Final yourself, and thus upgrade to the newer version. You generally don't need to wait on us for dependency upgrades. We have done some testing against 4.1.100.Final and not seen any incompatibility.

However, 4.1.100.Final doesn't fix CVE-2023-44487 by itself. You have to configure it by calling decoderEnforceMaxRstFramesPerWindow() when constructing the HTTP/2 objects. There's a very aggressive default, but the behavior isn't available to the APIs gRPC uses.

That approach is unwieldy to configure for gRPC, but may be better than nothing. Generally grpc-java server's aren't directly exposed to untrusted clients, so few probably would configure it. I'm looking to expose it on NettyServerBuilder.

[ejona86]

I just released 1.59.1 (it is available on Maven Central; it doesn't matter if it is indexed by search.maven.org; just try using it). It is compatible with Netty 4.1.100 (which doesn't help with the CVE for gRPC) and has a new API to limit RST frame rate (see #10675), which can do something for the CVE when it makes sense. It the same approach as in Netty, but not enabled by default.