Skip to content

UID2-7030: Upgrade gnutls + netty (CVE-2026-3833 + 4 netty CVEs) #2530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sophia-chen-ttd wants to merge 1 commit into
base: main
Choose a base branch
from
+11 −12
Open

UID2-7030: Upgrade gnutls + netty (CVE-2026-3833 + 4 netty CVEs) #2530

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 9 additions & 10 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,6 @@ CVE-2025-66293 exp:2026-06-15
# UID2-6481
CVE-2025-68973 exp:2026-06-15

# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
# See: UID2-6655
CVE-2026-1584 exp:2026-08-27
# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service
# See: UID2-7008
CVE-2026-33845 exp:2026-11-04
# gnutls DoS vulnerability via heap buffer overflow in DTLS handshake - not impactful as gnutls is not used by our Java service
# See: UID2-7012
CVE-2026-33846 exp:2026-11-05

# jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
# See: UID2-6670
GHSA-72hv-8253-57qq exp:2026-09-01
Expand All @@ -30,3 +20,12 @@ CVE-2026-25646 exp:2026-09-02
# and the core libz library used by the JRE is unaffected. The zlib maintainer disputes this CVE.
# See: UID2-6704
CVE-2026-22184 exp:2026-09-09

# CVE-2026-42577 — netty-transport-native-epoll DoS via RST on half-closed TCP connection.
# Advisory: https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p
# Server-side bug; netty maintainers backported the fix only to 4.2.13.Final and we run on
# vert.x 4 / netty 4.1.x. This service sits behind authenticated load balancers (mTLS / API
# gateway) so anonymous external attackers cannot reach the netty epoll socket directly;
# LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is
# Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration.
CVE-2026-42577 exp:2026-06-08
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
FROM eclipse-temurin@sha256:ad0cdd9782db550ca7dde6939a16fd850d04e683d37d3cff79d84a5848ba6a5a

# For Amazon Corretto Crypto Provider
RUN apk add --no-cache gcompat
RUN apk add --no-cache gcompat && apk add --no-cache --upgrade gnutls

WORKDIR /app
EXPOSE 8080
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<java.version>21</java.version>
<netty.version>4.1.132.Final</netty.version>
<netty.version>4.1.133.Final</netty.version>
</properties>


Expand Down
Loading