Hi, even the latest version in 2.x of java client sdk for couchbase have following io.netty:netty-all vulnerabilities:
Could we please upgrade the io.netty:netty-all:4.0.56.Final dependencies to a safer version (i.e > 4.1.45.Final) in com.couchbase.client:core-io ?
Moving to sdk 3.x is a bigger effort for us, and we have a future plan for that.
Thank you for taking this in the next release.
Also, could you please share the new JVMCBC or any where we can check the status of this; that would help us in planning our release/hotfix for our applications.
We should also note that if you read the CVEs, the exploits are if you use Netty to open a webserver. Netty has a lot of functionality, and this particular functionality is not used in the dependency inside the Couchbase SDK, which is shadowed into a separate namespace. If you’re using this functionality in your own apps, it’d come from a separate netty.io package namespace. So, in many ways, it’s a theoretical exploit that you are in control of-- if you’re using the com.couchbase.client.deps packages directly from your app, please don’t and then you can’t run into the exploits.
All of that said, we know you want security scans to pass clean, which is why we updated it.