netty-handler 4.1.x (SslHandler) flagged as vulnerable dependency

[Bozzzzzo]

Bug Report

Well policy says that for security vulnerabilities we should NOT give away any details.
So I would only say that the enterprise grade code scan engine we are using in our corp.
reports a security "vulnerability" in a third party that you are using...

I tried searching for a corresponding fixed bug report in your project but had no luck.
Reading some of your code around potential vulnerable use ;
I could not determine if vulnerability is effective or not
(though I incline to believe it is not).

I'll be waiting for your contact back.

Environment

at least lettuce-core [5.3.1 to 6.1.x] are using potentially vulnerable code

Possible Solution

No upgraded release available yet.
You may need to work around.

Additional context

MITM

[mp911de]

Can you check whether your finding is a duplicate of #1177 or #1264? These come up quite often as false positives. Feel free to provide more details on a 3rd party library in case a version containing the fix is already publicly available.

[Bozzzzzo]

No this is neither of those two.
(Interestingly enough the second issue contains a snapshot taken from same code scan engine that I am using)
And no, there is no fixed RELEASE version of the third party lib.
(otherwise I may have tried forcing maven on using that version by using dependencyManagement before pesting you)

[Bozzzzzo]

(I am sending more information in private mail)

[Bozzzzzo]

The problem was an insecure default configuration in netty-handler as discussed in netty/netty#10362

[mp911de]

Thanks for reaching out. Netty's SslHandler doesn't enable certificate checking according to HTTPS semantics by default. Lettuce isn't affected by this default behavior as we configure SSL verification according to the settings in RedisURI which defaults to full SSL certificate verification. In the context of Lettuce, you can disregard such warnings as a false positive.

There's currently no netty 5.0 release available hence we cannot upgrade to a non-affected version. In any case, that wouldn't change anything on the experienced security features in Lettuce, it would only make the dependency scanner happier.