Recently it’s been noticed that netty-all-4.1.42.Final.jar is getting flagged for “high" security vulnerability CVE-2019-20444 and CVE-2019-20445.
Analysis shows that Geode does not use Netty in a manner that would expose this vulnerability. The risk of bringing GEODE-7969 is very low. Netty is only imported for some I/O libraries in geode-redis, not used as a server. GEODE-7969 has passed all PR checks on support/1.12, and the same version bump to 4.1.45.Final has been on develop since February via GEODE-7798. This fix is critical to avoid false positives in automated vulnerability scans. -Owen
