Skip to content

UID2-7030: Upgrade gnutls + netty (CVE-2026-3833 + 4 netty CVEs) #401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sophia-chen-ttd wants to merge 1 commit into
base: main
Choose a base branch
from
Open

UID2-7030: Upgrade gnutls + netty (CVE-2026-3833 + 4 netty CVEs) #401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 9 additions & 10 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,15 @@
# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/
# for more details

# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
# See: UID2-6655
CVE-2026-1584 exp:2026-08-27
# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service
# See: UID2-7008
CVE-2026-33845 exp:2026-11-04
# gnutls DoS vulnerability via heap buffer overflow in DTLS handshake - not impactful as gnutls is not used by our Java service
# See: UID2-7012
CVE-2026-33846 exp:2026-11-05

# jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
# See: UID2-6670
GHSA-72hv-8253-57qq exp:2026-09-01

# CVE-2026-42577 — netty-transport-native-epoll DoS via RST on half-closed TCP connection.
# Advisory: https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p
# Server-side bug; netty maintainers backported the fix only to 4.2.13.Final and we run on
# vert.x 4 / netty 4.1.x. This service sits behind authenticated load balancers (mTLS / API
# gateway) so anonymous external attackers cannot reach the netty epoll socket directly;
# LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is
# Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration.
CVE-2026-42577 exp:2026-06-08
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ COPY ./run_tool.sh /app
COPY ./conf/default-config.json /app/conf/
COPY ./conf/*.xml /app/conf/

RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
USER uid2-optout

CMD java \
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
<micrometer.version>1.1.0</micrometer.version>
<uid2-shared.version>11.4.16</uid2-shared.version>
<image.version>${project.version}</image.version>
<netty.version>4.1.132.Final</netty.version>
<netty.version>4.1.133.Final</netty.version>
<junit-jupiter.version>5.10.1</junit-jupiter.version>
<junit-vintage.version>5.10.1</junit-vintage.version>
</properties>
Expand Down
Loading