From 0c1058e084a54833037bf629346fec508577aee0 Mon Sep 17 00:00:00 2001
From: David Venable <dlv@amazon.com>
Date: Tue, 10 Oct 2023 16:25:49 -0500
Subject: [PATCH] Resolve Netty to 4.1.100.Final, require Jetty 11.0.17 in Data
 Prepper. Use Tomcat 10.1.14 in the example project. These changes fix
 CVE-2023-44487 to protect against HTTP/2 reset floods. Resolves #3474.

Signed-off-by: David Venable <dlv@amazon.com>
---
 build.gradle                                  | 20 +++++++++++++++----
 .../sample-app/analytics-service/build.gradle |  3 +++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/build.gradle b/build.gradle
index 4d51229642..b03cebe34d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -89,7 +89,7 @@ subprojects {
     }
     dependencies {
         implementation platform('com.fasterxml.jackson:jackson-bom:2.15.0')
-        implementation platform('org.eclipse.jetty:jetty-bom:11.0.16')
+        implementation platform('org.eclipse.jetty:jetty-bom:11.0.17')
         implementation platform('io.micrometer:micrometer-bom:1.10.5')
         implementation libs.guava.core
         implementation libs.slf4j.api
@@ -152,6 +152,18 @@ subprojects {
                 }
                 because 'CVE from transitive dependencies'
             }
+            implementation('org.eclipse.jetty:http2-common') {
+                version {
+                    require '11.0.17'
+                }
+                because 'Fixes CVE-2023-44487'
+            }
+            implementation('org.eclipse.jetty:http2-server') {
+                version {
+                    require '11.0.17'
+                }
+                because 'Fixes CVE-2023-44487'
+            }
             implementation('org.xerial.snappy:snappy-java') {
                 version {
                     require '1.1.10.5'
@@ -195,10 +207,10 @@ subprojects {
         resolutionStrategy.eachDependency { def details ->
             if (details.requested.group == 'io.netty') {
                 if (details.requested.name == 'netty') {
-                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.96.Final'
-                    // replace with your desired version
+                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.100.Final'
+                    details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 } else if (!details.requested.name.startsWith('netty-tcnative')) {
-                    details.useVersion '4.1.96.Final'
+                    details.useVersion '4.1.100.Final'
                     details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 }
             } else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') {
diff --git a/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle b/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
index 9dd79fe84f..7c55da8118 100644
--- a/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
+++ b/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
@@ -27,6 +27,9 @@ configurations.all {
     resolutionStrategy.eachDependency { DependencyResolveDetails details ->
         if (details.requested.group == 'org.yaml') {
             details.useVersion '2.0'
+        } else if (details.requested.group == 'org.apache.tomcat.embed') {
+            details.useVersion '10.1.14'
+            details.because('Fixes CVE-2023-44487')
         }
     }
 }