When running vulnerability checks, e.g. against National Vulnerability Database (https://nvd.nist.gov)
I expect the aws-sdk-java-v2 to pass with no known CVE issues.
Currently, the following CVEs are reported when scanning projects containing AWS SDK with https://jeremylong.github.io/DependencyCheck:
netty-nio-client-2.9.13.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:netty:netty:2.9.13:::::::*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
netty-transport-4.1.39.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.39:::::::) : CVE-2019-16869
netty-reactive-streams-2.0.3.jar (pkg:maven/com.typesafe.netty/[email protected], cpe:2.3:a:netty:netty:2.0.3:::::::) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
Fix CVE-2014-3488, CVE-2015-2156, CVE-2019-16869 in netty-nio-client 2.9.13.
Additionally, as soon as fixes for the non-aws-sdk dependecies are provided update their versions as well.
Run https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html on the project.
To provide software with as few security issues/vulnerabilities as possible, we use various tools at different levels of the the build and deployment process.
So this actually forces us to accept our applications will be delivered with certain known vuln. for the time being.
Hi @fstendel, looks like you are using different versions of sdk modules - netty-nio-client 2.9.13 and other modules 2.10.23
netty-nio-client 2.10.23 depends on newer version of netty that doesn't seem to have known CVE issues.
Hi @zoewangg ,
thank you for your quick response.
Unfortunately, I did a mistake and posted the logs of our 2.9.13 build run.
The ones for 2.10.23 are still showing the error in regards to the aws-sdk maintained dependency:
netty-nio-client-2.10.23.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:netty:netty:2.10.23:::::::) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
netty-transport-4.1.39.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.39:::::::) : CVE-2019-16869
netty-reactive-streams-2.0.3.jar (pkg:maven/com.typesafe.netty/[email protected], cpe:2.3:a:netty:netty:2.0.3:::::::*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
After having another look at it, the only other aws dependency in the application in question which is using another version is amazon-sqs-java-messaging-lib.
Although I would be wondering this is causing the software.amazon.awssdk/[email protected]
I can have a look at it tomorrow.
Can you, by any chance, reach out to/connect me to the team maintaining the sqs-java-messaging-lib? (to 'shorten the customer journey' in case it the messaging lib quasing the CVE finding)
The relevant github repository looks a tad bit abandoned.
Cheers
Hmmm, netty-nio-client-2.10.23 actually depends on netty-transport-4.1.42.Final.
https://github.com/aws/aws-sdk-java-v2/blob/e859f253de864236ac3e318ca58bd03b42f70621/pom.xml#L99
Could you run mvn dependency:tree to see where netty-transport-4.1.39. is pulled from?
As regarding tosqs-java-messaging-lib, could you create a issue on their github repo? We'll reach out to them to let them know about the issue.
Hi @zoewangg
Owasp dependency check still reports two issues on newest version (2.10.24):
netty-nio-client-2.10.24.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:netty:netty:2.10.24:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
netty-reactive-streams-2.0.3.jar (pkg:maven/com.typesafe.netty/[email protected], cpe:2.3:a:netty:netty:2.0.3:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
Looks like the old netty version is pulled from our dependency netty-reactive-streams-2.0.3, but the SDK itself uses the latest netty version and should not have any issues.
We will schedule the work to update netty-reactive-streams version.
Closing this via #1560, in which the version of netty-reactive-streams was updated to 2.0.4.
Most helpful comment
Closing this via #1560, in which the version of
netty-reactive-streamswas updated to 2.0.4.