[SNYK: Medium] io.netty:netty-handler Improper Certificate Validation (Due 2022-10-17)

[rfultz]

What we’re after

SNYK flagged a vulnerability, io.netty:netty-handler Improper Certificate Validation

Introduced through org.flywaydb:[email protected]

Detailed paths
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › software.amazon.awssdk:[email protected] › software.amazon.awssdk:[email protected] › io.netty:[email protected]
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › software.amazon.awssdk:[email protected] › software.amazon.awssdk:[email protected] › io.netty:[email protected] › io.netty:[email protected]
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › software.amazon.awssdk:[email protected] › software.amazon.awssdk:[email protected] › io.netty:[email protected] › io.netty:[email protected]
…and 1 more

Overview
io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Affected versions of this package are vulnerable to Improper Certificate Validation. Certificate hostname validation is disabled by default in Netty 4.1.x which makes it potentially susceptible to Man-in-the-Middle attacks.

Action item(s)

(These are the smaller tasks that should happen in order to complete this work)

• [ ]

Completion criteria

• SNYK no longer flags this as a vulnerability, or
• We've determined that this isn't an issue and we've documented that

References/resources/technical considerations

[JonellaCulmer]

Closing in favor of fecgov/openFEC#5182