search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.27k stars 1.95k forks source link

[BUG] spring-cloud-azure-starter-keyvault-secrets (5.14.0) - vulnerabilities in dependent netty-handler (4.1.111.Final) library #41141

Closed bladyzamosc closed 1 day ago

bladyzamosc commented 1 month ago

Hello. I am kindly asking for help in solving the problem.

Part of the hierarchy of the spring-cloud-azure-starter-keyvault-secrets looks like this:

Report description - Security vulnerability sonatype-2020-0026:

The netty-handler package is vulnerable to Improper Certificate Validation. The newHandler methods in SslContext.class do not verify hostnames by default when generating a new SSLEngine. An attacker can exploit this as part of a Man-in-the-Middle (MitM) attack to spoof their identity and gain access to or modify sensitive data.

Note: This issue had earlier been assigned CVE-2023-4586, however, it was later determined that the vulnerability does not apply to netty-handler as it stems from (mis)configuration rather than an inherent flaw in the component. As such, the Sonatype Security Research team is providing data on this vulnerability for informational purposes under sonatype-2020-0026. You may discretionary waive this vulnerability should your organization's risk tolerance policy allow so. Open source components affected by the Improper Certificate Validation flaw (e.g. The Infinispan / Data Grid Hot Rod client) will show up separately under CVE-2023-4586 and not sonatype-2020-0026.

Expected behavior

Removing the problem at the level of the spring-cloud-azure-starter-keyvault-secrets library, or proposing another solution to the problem using this library.

Screenshots

image

Setup

Additional context This issue is important for security reasons. In my case, spring-cloud-azure-starter-keyvault-secrets is used in many projects and replacing it with another solution will be extremely expensive or not entirely possible.

github-actions[bot] commented 1 month ago

@moarychan @netyyyy @rujche @saragluna

github-actions[bot] commented 1 month ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

rujche commented 1 month ago

Hi, @bladyzamosc .

Thanks for reaching out.

In Spring Cloud Azure, the external dependencies' versions are align with Spring Boot. spring-cloud-azure-starter-keyvault-secrets : 5.14.0 depends on io.netty : netty-handler : 4.1.111.final, because spring-cloud-azure-starter-keyvault-secrets : 5.14.0 is align with Spring Boot 3.3.1. And spring-boot-dependencies:3.3.1's netty version is 4.1.111.final.

Refs: https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.3.1/spring-boot-dependencies-3.3.1.pom

image

To solve the vulnerabilities in your project, you can add dependency version manually like this:

    <dependencies>
        <dependency>
            <groupId>io.netty</groupId>
            <artifactId>netty-handler</artifactId>
            <version>xxx</version>
        </dependency>
    </dependencies>
github-actions[bot] commented 3 weeks ago

Hi @bladyzamosc. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

github-actions[bot] commented 2 weeks ago

Hi @bladyzamosc, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!