Skip to content

Commit 9463913

Browse files
authored
Bump Netty to 4.1.133.Final and update trivyignore (#1374)
*Issue #, if available:* #1372 *Description of changes:* Bump netty to 4.1.133.Final to fix CVE-2026-41417. This CVE is low-risk for end-users as no attacker-controlled input reaches `setUri()`. Updated trivyignore to keep workflows unblocked until the next ADOT Java release (in ~2 weeks). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
1 parent c89a398 commit 9463913

4 files changed

Lines changed: 10 additions & 16 deletions

File tree

.github/trivy/daily-scan.trivyignore.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,6 @@
1111
# expired_at: <required - YYYY-MM-DD>
1212

1313
vulnerabilities:
14-
- id: CVE-2026-33870
15-
statement: "Netty HTTP/1.1 Request Smuggling. Fix: bump netty-bom to 4.1.132.Final. https://github.com/aws-observability/aws-otel-java-instrumentation/issues/1346"
16-
expired_at: 2026-04-28
17-
- id: CVE-2026-33871
18-
statement: "Netty HTTP/2 CONTINUATION frame flood DoS. Fix: bump netty-bom to 4.1.132.Final. https://github.com/aws-observability/aws-otel-java-instrumentation/issues/1346"
19-
expired_at: 2026-04-28
14+
- id: CVE-2026-41417
15+
statement: "Netty request-line validation bypass via setUri() enables CRLF injection/request smuggling. Low risk for ADOT Java agent (URIs are operator-configured, no attacker-controlled input reaches setUri()). Fix: bump netty-bom to 4.1.133.Final. https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
16+
expired_at: 2026-05-22

.github/trivy/pr-build.trivyignore.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,6 @@
99
# expired_at: <required - YYYY-MM-DD>
1010

1111
vulnerabilities:
12-
- id: CVE-2026-33870
13-
statement: "Netty HTTP/1.1 Request Smuggling. Fix: bump netty-bom to 4.1.132.Final. https://github.com/aws-observability/aws-otel-java-instrumentation/issues/1346"
14-
expired_at: 2026-04-28
15-
- id: CVE-2026-33871
16-
statement: "Netty HTTP/2 CONTINUATION frame flood DoS. Fix: bump netty-bom to 4.1.132.Final. https://github.com/aws-observability/aws-otel-java-instrumentation/issues/1346"
17-
expired_at: 2026-04-28
12+
- id: CVE-2026-41417
13+
statement: "Netty request-line validation bypass via setUri() enables CRLF injection/request smuggling. Low risk for ADOT Java agent (URIs are operator-configured, no attacker-controlled input reaches setUri()). Fix: bump netty-bom to 4.1.133.Final. https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
14+
expired_at: 2026-05-22

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t
1313

1414
## Unreleased
1515

16+
- Bump Netty to 4.1.133.Final to fix CVE-2026-41417
17+
([#1374](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1374))
1618
- Support environment-configured endpoint visibility for HTTP operation names
1719
([#1352](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1352))
1820
- Bump Netty to 4.1.132.Final to fix CVE-2026-33870 and CVE-2026-33871

dependencyManagement/build.gradle.kts

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,8 @@ val dependencyBoms = listOf(
4040
"com.google.protobuf:protobuf-bom:3.25.1",
4141
"com.linecorp.armeria:armeria-bom:1.26.4",
4242
"io.grpc:grpc-bom:1.59.1",
43-
// netty-bom pins to fix CVE-2026-33870 and CVE-2026-33871.
44-
// Remove once https://github.com/aws/aws-sdk-java-v2/pull/6635 is released and
45-
// AWS SDK for Java (v1) is upgraded to 1.12.796 at least.
46-
"io.netty:netty-bom:4.1.132.Final",
43+
// netty-bom pins to fix CVE-2026-41417
44+
"io.netty:netty-bom:4.1.133.Final",
4745
"io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
4846
"org.apache.logging.log4j:log4j-bom:2.21.1",
4947
"org.junit:junit-bom:5.10.1",

0 commit comments

Comments
 (0)