Aws-sdk-java: Please fix the following CVEs

Created on 30 Jul 2020  路  5Comments  路  Source: aws/aws-sdk-java

From Jackson Databind 2.6.7.3

cve | severity | cvss
-- | -- | --
CVE-2017-15095 | critical | 9.8
CVE-2018-1000873 | medium | 6.5
CVE-2018-5968 | high | 8.1
CVE-2018-7489 | critical | 9.8
CVE-2019-14540 | critical | 9.8
CVE-2019-14893 | critical | 9.8
CVE-2019-16335 | critical | 9.8
CVE-2019-16942 | critical | 9.8
CVE-2019-16943 | critical | 9.8
CVE-2019-17267 | critical | 9.8
CVE-2019-17531 | critical | 9.8
CVE-2019-20330 | critical | 9.8
CVE-2020-10672 | high | 8.8
CVE-2020-10673 | high | 8.8
CVE-2020-10968 | high | 8.8
CVE-2020-10969 | high | 8.8
CVE-2020-11111 | high | 8.8
CVE-2020-11112 | high | 8.8
CVE-2020-11113 | high | 8.8
CVE-2020-11619 | critical | 9.8
CVE-2020-11620 | critical | 9.8
CVE-2020-14060 | high | 8.1
CVE-2020-14061 | high | 8.1
CVE-2020-14062 | high | 8.1
CVE-2020-14195 | high | 8.1
CVE-2020-8840 | critical | 9.8
CVE-2020-9546 | critical | 9.8
CVE-2020-9547 | critical | 9.8
CVE-2020-9548 | critical | 9.8

From netty 4.1.44.Final

cve | severity | cvss
-- | -- | --
CVE-2020-11612 | critical | 9.8

Our security team is trying to ban us from using EMR because of this issue and EMR in spark uses the v1 SDK to talk to a lot of the services in AWS.

bug dependencies
Source
picture AceHack

All 5 comments

Couldn't you just override the versions of those libraries? Netty and Jackson don't have much breaking changes.

meshuga picture meshuga on 31 Jul 2020

No they are shaded in the bundle which is what Hadoop-aws uses so what spark uses.

AceHack picture AceHack on 31 Jul 2020
👀1

Hi @AceHack, thank you for reaching out.

The SDK is not directly impacted by CVE 2017-15095 & CVE 2018-7489, as stated in our README.

Jackson-databind-2.6.7.3 has backported all the fixes up to 2.9.10 (see Jackson 2.6.7.3 release notes), so from your list, the CVEs not covered are from CVE 2019-20330 onward. We tried to upgrade to 2.10.1 in #2158 but after running integration tests we saw some breaking changes so we're not able to upgrade the jackson version on the SDK side. We know this is a pain with all the security tools and I know you mentioned these are shaded dependencies in your case, but you should be able to override the dependency version in your end. Or you can use SDK v2, which uses jackson 2.10.4

For the netty upgrade, I'll see to it.

debora-ito picture debora-ito on 5 Aug 2020

These are shaded by the aws sdk bundle provided by you used by spark so there is no way to upgrade on my end. Also hapdoop-aws package used by spark and built and provided by AWS uses the v1 sdk so there is no way to upgrade to sdk v2. Currently because of AWS provided jars/packages it's impossible to talk to things like S3, Kenisis, etc... In spark and EMR without tons of CVEs.

AceHack picture AceHack on 5 Aug 2020

SDK version 1.11.848 upgraded netty to 4.1.48.Final.

debora-ito picture debora-ito on 29 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bagovino picture bagovino  路  4Comments
DaichiUeura picture DaichiUeura  路  3Comments
neil-rubens picture neil-rubens  路  5Comments
kliakos picture kliakos  路  3Comments
dalbani picture dalbani  路  5Comments