Netty project 4.1.69 version present in readonlyrest-1.35.1_es7.10.0.zip is vulnerable

Hi,

As per NVD, the netty project 4.1.69 version present in readonlyrest-1.35.1_es7.10.0.zip is vulnerable.

Vulnerability Link:

  1. NVD - CVE-2021-43797

Please look into this.

@Sagarika thanks for your report. It was fixed in ROR 1.37.0 (Download - ReadonlyREST)

1 Like

could you please let me know which Netty version is in ROR 1.37.0?

we’ve just released ROR 1.38.0. It uses netty 4.1.72

Thanks! Please clarify, what ES version(s) are supported by ROR 1.38.0.
On download link, this is not obvious at the moment.

@toomas11 when you pick Free Elasticsearch Plugin from the Select Product selector you should be able to see all supported versions
Screenshot 2022-01-21 at 19.57.31

ROR supports ES starting from 6.0.0.

1 Like