High level OWASP Security Vulnerabilities identified with jDiameter transitive dependencies

[AbdusSuhail-kcom]

While performing OWASP maven dependency checks on one of our projects that use jDiameter's Ro Client and Server APIs, we have identified the following security vulnerabilities both in jdiameter-api and jdiameter-impl transitive dependencies:

• File Path: /org/beanshell/bsh/2.0b4/bsh-2.0b4.jar
  Vulnerability Type: OSSINDEX CVE-2016-2510
  Severity: High
  Description: BeanShell (bsh) before 2.0b6, when included on the classpath by an
  application that uses Java serialization or XStream, allows remote attackers
  to execute arbitrary code via crafted serialized data, related to
  XThis.Handler.

• File Path: /io/netty/netty-all/4.0.36.Final/netty-all-4.0.36.Final.jar
  Vulnerability Type: NVD CVE-2016-4970
  Severity: High
  Description: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and
  4.1.x before 4.1.1.Final allows remote attackers to cause a denial of
  service (infinite loop). CWE-835: Loop with Unreachable Exit Condition
  ('Infinite Loop')

• File Path: /io/netty/netty-all/4.0.36.Final/netty-all-4.0.36.Final.jar
  Vulnerability Type: NVD CVE-2019-16869
  Severity: Medium
  Description: Netty before 4.1.42.Final mishandles whitespace before the colon in
  HTTP headers (such as a "Transfer-Encoding : chunked" line), which
  leads to HTTP request smuggling.

@deruelle @ammendonca I am registering this issue as this could impact Production services in the telecoms industry that use the jdiameter-api and jdiameter-impl libraries. I guess it may simply be a matter of updating the above dependencies to a newer and more secure version?