Aws-sdk-java-v2: Non mitigated CVEs in netty libraries

Created on 25 Nov 2019  路  6Comments  路  Source: aws/aws-sdk-java-v2

Expected Behavior

When running vulnerability checks, e.g. against National Vulnerability Database (https://nvd.nist.gov)
I expect the aws-sdk-java-v2 to pass with no known CVE issues.

Current Behavior

Currently, the following CVEs are reported when scanning projects containing AWS SDK with https://jeremylong.github.io/DependencyCheck:

netty-nio-client-2.9.13.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:netty:netty:2.9.13:::::::*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869

netty-transport-4.1.39.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.39:::::::) : CVE-2019-16869
netty-reactive-streams-2.0.3.jar (pkg:maven/com.typesafe.netty/[email protected], cpe:2.3:a:netty:netty:2.0.3:
::::::) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869

Possible Solution

Fix CVE-2014-3488, CVE-2015-2156, CVE-2019-16869 in netty-nio-client 2.9.13.
Additionally, as soon as fixes for the non-aws-sdk dependecies are provided update their versions as well.

Steps to Reproduce (for bugs)

Run https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html on the project.

Context

To provide software with as few security issues/vulnerabilities as possible, we use various tools at different levels of the the build and deployment process.
So this actually forces us to accept our applications will be delivered with certain known vuln. for the time being.

Your Environment

  • AWS Java SDK version used: 2.10.23
  • JDK version used: OpenJDK 11
  • Operating System and version: Windows 10, Linux (openjdk-11 docker image)
dependencies guidance

Most helpful comment

Closing this via #1560, in which the version of netty-reactive-streams was updated to 2.0.4.

All 6 comments

Hi @fstendel, looks like you are using different versions of sdk modules - netty-nio-client 2.9.13 and other modules 2.10.23

netty-nio-client 2.10.23 depends on newer version of netty that doesn't seem to have known CVE issues.

Hi @zoewangg ,

thank you for your quick response.
Unfortunately, I did a mistake and posted the logs of our 2.9.13 build run.
The ones for 2.10.23 are still showing the error in regards to the aws-sdk maintained dependency:

netty-nio-client-2.10.23.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:netty:netty:2.10.23:::::::) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869
netty-transport-4.1.39.Final.jar (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.39:
::::::) : CVE-2019-16869
netty-reactive-streams-2.0.3.jar (pkg:maven/com.typesafe.netty/[email protected], cpe:2.3:a:netty:netty:2.0.3:::::::*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869

After having another look at it, the only other aws dependency in the application in question which is using another version is amazon-sqs-java-messaging-lib.
Although I would be wondering this is causing the software.amazon.awssdk/[email protected]
I can have a look at it tomorrow.

Can you, by any chance, reach out to/connect me to the team maintaining the sqs-java-messaging-lib? (to 'shorten the customer journey' in case it the messaging lib quasing the CVE finding)

The relevant github repository looks a tad bit abandoned.

Cheers

Hmmm, netty-nio-client-2.10.23 actually depends on netty-transport-4.1.42.Final.

https://github.com/aws/aws-sdk-java-v2/blob/e859f253de864236ac3e318ca58bd03b42f70621/pom.xml#L99

Could you run mvn dependency:tree to see where netty-transport-4.1.39. is pulled from?

As regarding tosqs-java-messaging-lib, could you create a issue on their github repo? We'll reach out to them to let them know about the issue.

Hi @zoewangg

Owasp dependency check still reports two issues on newest version (2.10.24):
netty-nio-client-2.10.24.jar (pkg:maven/software.amazon.awssdk/[email protected], cpe:2.3:a:netty:netty:2.10.24:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869 netty-reactive-streams-2.0.3.jar (pkg:maven/com.typesafe.netty/[email protected], cpe:2.3:a:netty:netty:2.0.3:*:*:*:*:*:*:*) : CVE-2014-3488, CVE-2015-2156, CVE-2019-16869

Looks like the old netty version is pulled from our dependency netty-reactive-streams-2.0.3, but the SDK itself uses the latest netty version and should not have any issues.

We will schedule the work to update netty-reactive-streams version.

Closing this via #1560, in which the version of netty-reactive-streams was updated to 2.0.4.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ceven picture ceven  路  5Comments

hmatland picture hmatland  路  3Comments

EthanStandel picture EthanStandel  路  3Comments

shorea picture shorea  路  4Comments

millems picture millems  路  3Comments