Skip to content

[Improvement-17952][Dependency]Upgrade Netty to fix HTTP/2 DoS (CVE-2023-44487)#17954

Closed
dill21yu wants to merge 1 commit intoapache:devfrom
dill21yu:Upgrade-Netty
Closed

[Improvement-17952][Dependency]Upgrade Netty to fix HTTP/2 DoS (CVE-2023-44487)#17954
dill21yu wants to merge 1 commit intoapache:devfrom
dill21yu:Upgrade-Netty

Conversation

@dill21yu
Copy link
Copy Markdown
Contributor

@dill21yu dill21yu commented Feb 5, 2026

Purpose of the pull request

close #17952

Brief change log
Upgrade Netty from 4.1.53.Final to 4.1.100.Final to fix GHSA-qppj-fm5r-hxr3

Pull Request Notice

Pull Request Notice

If your pull request contains incompatible change, you should also add it to docs/docs/en/guide/upgrade/incompatible.md

ruanwenjun
ruanwenjun requested changes Feb 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ruanwenjun ruanwenjun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't use HTTP at the RPC module, does this affect?

@dill21yu
Copy link
Copy Markdown
Contributor Author

dill21yu commented Feb 6, 2026

We don't use HTTP at the RPC module, does this affect?
Yes, We don’t use HTTP in the RPC module, so CVE-2023-44487 does not affect the default internal RPC. However, we still recommend upgrading both Jetty and Netty for overall security. Could you please evaluate whether we should upgrade Netty and Jetty since our dependency scan shows they are within the affected range for CVE-2023-44487?

  1. Jetty (API server) — upgrade recommended
    Exposure: The API server exposes HTTP on port 12345 via spring-boot-starter-jetty
    Vulnerable version: LICENSE lists Jetty 9.4.51.v20230217, which is affected by CVE-2023-44487 .
    Current config: application.yaml does not enable server.http2.enabled , but JDK 9+ or ALPN environments may auto-negotiate HTTP/2, still triggering the vulnerability.
    Recommendation: Upgrade Jetty to 9.4.52+.
  2. Netty (internal RPC) — upgrade recommended
    Default safety: RPC uses a custom binary protocol with TransporterEncoder/Decoder, not HTTP/2 .
    Potential risk: Dependencies include netty-codec-http2-4.1.53.Final.jar ; if a plugin enables HTTP/2, the CVE can be exposed .
    Version defined: dolphinscheduler-bom/pom.xml sets netty.version=4.1.53.Final .
    Recommendation: Upgrade Netty to 4.1.100.Final+ and restrict plugin ports to internal access only.
  3. Upgrade path
    How: Update netty.version and spring-boot.version in dolphinscheduler-bom/pom.xml to pull in fixed Jetty versions. @ruanwenjun

@ruanwenjun
Copy link
Copy Markdown
Member

ruanwenjun commented Feb 6, 2026

@dill21yu I am -1 to upgrade Netty from 4.1.53.Final to 4.1.100.Final.
Please provide concrete evidence of how upgrading this component actually benefits DolphinScheduler. As far as I can tell, it's currently unclear what issues the upgrade resolves, but it does introduce certain risks.
I would perfer to upgrade to 4.1.131.Final4.1.131.Final, since this version doesn't have any cve.

@ruanwenjun ruanwenjun closed this Feb 6, 2026
@ruanwenjun ruanwenjun mentioned this pull request Feb 6, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruanwenjun ruanwenjun ruanwenjun requested changes

@SbloodyS SbloodyS Awaiting requested review from SbloodyS SbloodyS is a code owner

Assignees

@dill21yu dill21yu

Labels

backend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Improvement][Dependency][Security] Upgrade Netty to fix HTTP/2 DoS (CVE-2023-44487)

2 participants

@dill21yu @ruanwenjun