Fix CVE-2024-47535.

[AWSHurneyt]

Description

CVE details:

{
          "VulnerabilityID": "CVE-2024-47535",
          "PkgName": "io.netty:netty-common",
          "PkgPath": "usr/share/opensearch/plugins/opensearch-security-analytics/security-analytics-commons-1.0.0.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/io.netty/[email protected]"
          },
          "InstalledVersion": "4.1.108.Final",
          "FixedVersion": "4.1.115",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:490d0de45822d74701c986814b57e4d8132164424019877b38915dadc07ae80a",
            "DiffID": "sha256:1d1542b17eec3a37159135e2fce5b242073af921fcdbdd889b267c28ace4e2a4"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47535",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Maven",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
          },
          "Title": "netty: Denial of Service attack on windows app using Netty",
          "Description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-400"
          ],
          "VendorSeverity": {
            "ghsa": 2,
            "redhat": 2
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-47535",
            "https://github.com/netty/netty",
            "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3",
            "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-47535",
            "https://www.cve.org/CVERecord?id=CVE-2024-47535"
          ],
          "PublishedDate": "2024-11-12T16:15:22.237Z",
          "LastModifiedDate": "2024-11-13T17:01:58.603Z"
        }

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.