dill21yu commented on PR #17954: URL: https://github.com/apache/dolphinscheduler/pull/17954#issuecomment-3859114402
> We don't use `HTTP` at the RPC module, does this affect? Yes, We don’t use HTTP in the RPC module, so CVE-2023-44487 does not affect the default internal RPC. However, we still recommend upgrading both Jetty and Netty for overall security. Could you please evaluate whether we should upgrade Netty and Jetty since our dependency scan shows they are within the affected range for CVE-2023-44487? 1) Jetty (API server) — upgrade recommended Exposure: The API server exposes HTTP on port 12345 via spring-boot-starter-jetty Vulnerable version: LICENSE lists Jetty 9.4.51.v20230217, which is affected by CVE-2023-44487 . Current config: application.yaml does not enable server.http2.enabled , but JDK 9+ or ALPN environments may auto-negotiate HTTP/2, still triggering the vulnerability. Recommendation: Upgrade Jetty to 9.4.52+. 2) Netty (internal RPC) — upgrade recommended Default safety: RPC uses a custom binary protocol with TransporterEncoder/Decoder, not HTTP/2 . Potential risk: Dependencies include netty-codec-http2-4.1.53.Final.jar ; if a plugin enables HTTP/2, the CVE can be exposed . Version defined: dolphinscheduler-bom/pom.xml sets netty.version=4.1.53.Final . Recommendation: Upgrade Netty to 4.1.100.Final+ and restrict plugin ports to internal access only. 3) Upgrade path How: Update netty.version and spring-boot.version in dolphinscheduler-bom/pom.xml to pull in fixed Jetty versions. @ruanwenjun -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
