Dependencies causes CVEs in your execution path

[CleWang]

I found your project uses some dependencies with CVEs and the buggy methods of the CVEs are in the program execution path of your project. To prevent potential risk it may cause, I have suggested some version updates. The following is a detailed content.

• Vulnerable Dependency: io.netty : netty : 3.3.1.Final

• Call Chain to Buggy Methods:

  • Some files in your project call the library method org.jboss.netty.handler.codec.http.CookieDecoder.decode(java.lang.String), which can reach the buggy method of CVE-2015-2156.

    • Files in your project:
      Frameworks/WOAdaptors/ERWOAdaptor/Sources/er/woadaptor/ERWOAdaptorUtilities.java
    • One of the possible call chain:

    org.jboss.netty.handler.codec.http.CookieDecoder.decode(java.lang.String)
    org.jboss.netty.handler.codec.http.Cookie.setMaxAge(int) [buggy method]
    

  • Some files in your project call the library method org.jboss.netty.handler.codec.http.CookieEncoder.encode(), which can reach the buggy method of CVE-2015-2156.

    • Files in your project:
      Frameworks/WOAdaptors/ERWOAdaptor/Sources/com/webobjects/appserver/WOResponseWrapper.java
    • One of the possible call chain:

    org.jboss.netty.handler.codec.http.CookieEncoder.encode()
    org.jboss.netty.handler.codec.http.CookieEncoder.encodeServerSide()
    org.jboss.netty.handler.codec.http.Cookie.getMaxAge() [buggy method]
    

• Update suggestion: version 3.9.9.Final
  3.9.9.Final is a safe version without CVEs. From 3.3.1.Final to 3.9.9.Final, 6 of the APIs (called by 7 times in your project) were modified.