topstair
Reputation: 41
Do CVEs against netty apply to reactor netty?
My security tool is detecting a reactor netty package and flagging it with a netty CVEs.
Details:
- My server has reactor netty v1.0.23 installed (v1.0.23 was released Sep 30, 2022)
- My security tool identifies CVE-2019-20445
- CVE-2019-20445 was written in 2019 against netty v4.1.44 and earlier (v4.1.44 was released Oct 24, 2019)
- I suspect my security tool is misidentifying reactor-netty-http-1.0.23 as a version of netty earlier than 4.1.44
- But I'm also aware of cases where a MySQL CVE is applicable to MariaDB because they share the same code base
Do CVEs against netty apply to reactor netty?
Is there a way to prove netty CVEs don't apply or are only applicable in certain cases?
If reactor-netty v1.0.23 is based on the "old" netty 4.1.44 then the CVE should be flagged.
If reactor-netty v1.0.23 is based on the "new" netty 4.1.82 then the CVE should NOT be flagged.
I'd appreciate any clarification/correction before I flag this as a false positive.
Upvotes: 0
Views: 129
Answers (0)
Related Questions
- Spring Cloud embedded netty server with security vulnerabilities
- Closing Reactor Netty connection on error status codes
- Reactor-netty TCPClient cannot receive responses
- Real time aplicaton, Reactor Netty vs Netty
- Reactor Netty TcpServer with Pipeline
- Netty HttpServer api changed/differs from available examples
- Netty pipeline warning
- Different Netty versions and their purposes
- Netty forked tomcat - supported Netty version
- How to secure reactor netServer with spring security?