0

My security tool is detecting a reactor netty package and flagging it with a netty CVEs.

Details:

  1. My server has reactor netty v1.0.23 installed (v1.0.23 was released Sep 30, 2022)
  2. My security tool identifies CVE-2019-20445
  3. CVE-2019-20445 was written in 2019 against netty v4.1.44 and earlier (v4.1.44 was released Oct 24, 2019)
  4. I suspect my security tool is misidentifying reactor-netty-http-1.0.23 as a version of netty earlier than 4.1.44
  5. But I'm also aware of cases where a MySQL CVE is applicable to MariaDB because they share the same code base

Do CVEs against netty apply to reactor netty?
Is there a way to prove netty CVEs don't apply or are only applicable in certain cases?

If reactor-netty v1.0.23 is based on the "old" netty 4.1.44 then the CVE should be flagged.
If reactor-netty v1.0.23 is based on the "new" netty 4.1.82 then the CVE should NOT be flagged.

I'd appreciate any clarification/correction before I flag this as a false positive.

topstair
  • 41
  • 3
  • Can you tell us which security tool you are using? – Violeta Georgieva Oct 20 '22 at 06:07
  • I'm using Anchore. But I prefer an answer like "Yes, netty and reactor-netty share the same code base." Instead of an answer like "Anchore has a false positive". That would answer a different question like "How does Anchore parse package names to find matches?" – topstair Oct 21 '22 at 17:42
  • 1
    No, Netty and Reactor Netty don't share the same code base. These are two different libraries developed by different groups. Reactor Netty uses some functionality provided by Netty but not everything. When there is CVE in the functionality that is used by Reactor Netty, the dependency is upgraded to this Netty version. Also if there is CVE in Reactor Netty, it doesn't have anything with Netty. – Violeta Georgieva Oct 22 '22 at 19:05

0 Answers0