From 800c1fcd74b8771f949ef6f8f1bf77fdfb4d1c29 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Fri, 8 May 2026 14:32:19 +1000 Subject: [PATCH] chore(security): upgrade gnutls + netty for CVE batch (UID2-7030, UID2-7031..7035) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Dockerfile: install gnutls 3.8.13-r0 to fix CVE-2026-3833 (also clears the previously suppressed CVE-2026-1584, CVE-2026-33845, CVE-2026-33846). * pom.xml: bump netty 4.1.132.Final → 4.1.133.Final to fix CVE-2026-42583 / 42579 / 42584 / 42587. * .trivyignore: remove the three obsolete gnutls suppressions and add CVE-2026-42577 (server-side epoll DoS, no 4.1.x patch backported by upstream — service is behind authenticated LB; CVSS impact is Availability only). Co-Authored-By: Claude Opus 4.7 (1M context) --- .trivyignore | 19 +++++++++---------- Dockerfile | 2 +- pom.xml | 2 +- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.trivyignore b/.trivyignore index 9a0eb5d..8a67b60 100644 --- a/.trivyignore +++ b/.trivyignore @@ -2,16 +2,15 @@ # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ # for more details -# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service -# See: UID2-6655 -CVE-2026-1584 exp:2026-08-27 -# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service -# See: UID2-7008 -CVE-2026-33845 exp:2026-11-04 -# gnutls DoS vulnerability via heap buffer overflow in DTLS handshake - not impactful as gnutls is not used by our Java service -# See: UID2-7012 -CVE-2026-33846 exp:2026-11-05 - # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API # See: UID2-6670 GHSA-72hv-8253-57qq exp:2026-09-01 + +# CVE-2026-42577 — netty-transport-native-epoll DoS via RST on half-closed TCP connection. +# Advisory: https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p +# Server-side bug; netty maintainers backported the fix only to 4.2.13.Final and we run on +# vert.x 4 / netty 4.1.x. This service sits behind authenticated load balancers (mTLS / API +# gateway) so anonymous external attackers cannot reach the netty epoll socket directly; +# LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is +# Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration. +CVE-2026-42577 exp:2026-06-08 diff --git a/Dockerfile b/Dockerfile index a77c545..8039d2d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ COPY ./run_tool.sh /app COPY ./conf/default-config.json /app/conf/ COPY ./conf/*.xml /app/conf/ -RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads +RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls && addgroup --gid 1100 uidusers && adduser -D -G uidusers --uid 1100 uid2-optout && mkdir -p /opt/uid2 && chmod 755 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads USER uid2-optout CMD java \ diff --git a/pom.xml b/pom.xml index 4ba133f..5a9558f 100644 --- a/pom.xml +++ b/pom.xml @@ -17,7 +17,7 @@ 1.1.0 11.4.16 ${project.version} - 4.1.132.Final + 4.1.133.Final 5.10.1 5.10.1