Re: security vulnerability: janusgraph-full-1.0.0-rc1: in ./lib ( netty-all.4.1.58.Final) as well as ./lib/gremlin-console-3.6.1.jar & gremlin-driver.3.6.1.jar (netty-all.4.1.77.Final)

Yingjie Li

Hello Marc,

Yes, they are in the ./lib directory of janusgraph-1.0.0-rc1 and they
embed netty-all.4.1.77.Final.jar, whose CVEs can be found in
the latest version is 4.1.87. ./lib/ directory also comes with

Actually the all in one package janusgraph-full-1.0.0-rc1 that comes
with Cassandra 4.0.6, the netty-all version in both Janusgraph lib and
Cassandra lib is 4.1.58.jar , which has higher security risk of
CVSS 8.4 (sonatype-2021-0789). I was able to successfully replace the
one in Janusgraph lib with the latest 4.1.87 version. But replacing
the one in Cassandra lib throwed an exception and failed to start.

I also checked the latest Cassandra (4.1.0) and it still has the old
version jar (4.1.58). Just wondering whether anybody has some
experience in replacing this jar with the higher version in
Cassandra or gremlin console & driver 3.61.

Also any pointers to other user groups that might be able to help is


On Wed, Jan 25, 2023 at 2:06 AM <hadoopmarc@...> wrote:

Hi Yingjie,

Sorry, I do not understand. The gremlin-console-3.6.1.jar and gremlin-driver.3.6.1.jar are part of janusgraph-1.0.0-rc1.


Join to automatically receive all group messages.