What's the plan with netty and CVE-2023-34462?

[breedx-splk]

Looks like #10403 rolled back Netty to below 4.1.94 (to 4.1.93) for performance reasons. Understandable, but this also makes grpc-netty vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-34462.

Is there a plan around this? Is the goal to wait for a newer version that is both not vulnerable and doesn't cause the same benchmark regression?

Thanks in advance!

[ejona86]

If you are using grpc-netty-shaded, then you are safe because gRPC does not use SniHandler. If you are using grpc-netty, then you can upgrade netty yourself by just depending on the newer version. Netty 4.1.96.Final fixed the regression we noticed in 4.1.94.

There's still #10428 , but we don't yet know what's going on with it.

[breedx-splk]

Thanks for the reply, @ejona86 appreciate it!