Closed brandontyler closed 2 years ago
BoyeMagnus
commented
2 years ago Agreed I would also appreciate an update on this. Here is an overview of vulnerable dependencies (either direct or indirect):
Eg. the log4j issue is coming through:
com.amazonaws:amazon-kinesis-video-streams-parser-library@1.2.1 › org.slf4j:slf4j-log4j12@1.7.33 › log4j:log4j@1.2.17
Our solution has for now been to fork the repo, and do the upgrades ourselves
brandontyler
commented
2 years ago Thank you for the reply! I'm curious how you are "doing the upgrade ourselves"
niyatim23
commented
2 years ago Hi, thank you bringing this to our notice. This is being worked on and the thread will be updated once it is available on maven for use.
brandontyler
commented
2 years ago Thank you for resolving this! and what about the rest of the vulnerabilities:
disa6302
commented
2 years ago @brandontyler ,
Can you point me to the packages you are talking about in the pom.xml file? From what I see, we do not directly depend on these packages
brandontyler
commented
2 years ago Looking at a dependency report I found these dependencies in com.amazonaws:amazon-kinesis-video-streams-parser-library:
"com.amazonaws:aws-java-sdk-kinesisvideo:jar:1.11.487:compile" -> "io.netty:netty-codec-http:jar:4.1.17.Final:compile" ; "com.amazonaws:aws-java-sdk-kinesisvideo:jar:1.11.487:compile" -> "io.netty:netty-handler:jar:4.1.17.Final:compile" ;
"com.amazonaws:amazon-kinesis-client:jar:1.14.7:compile" -> "com.google.protobuf:protobuf-java:jar:3.19.1:compile" ; "com.amazonaws:amazon-kinesis-video-streams-producer-sdk-java:jar:1.8.0:compile" -> "com.google.guava:guava:jar:21.0:compile" ;
"com.amazonaws:amazon-kinesis-video-streams-producer-sdk-java:jar:1.8.0:compile" -> "commons-io:commons-io:jar:2.4:compile" ;
brandontyler
commented
2 years ago Any update on these vulnerabilities?
niyatim23
commented
2 years ago Hi @brandontyler, we are looking into it. We will update the issue once we have something.
brandontyler
commented
2 years ago Hi @brandontyler, we are looking into it. We will update the issue once we have something.
Thank you so much!
niyatim23
commented
2 years ago Hi @brandontyler, we have release 1.2.3 on GitHub as well as Maven for the parser-library which has the packages upgraded. Please check if it fixes the issues.
brandontyler
commented
2 years ago Thank you so much for working on this I'll update and test
niyatim23
commented
2 years ago Sure, closing this issue for now. Feel free to reopen it in case of any further questions
BoyeMagnus
commented
2 years ago @niyatim23 can you reopen and have a look at:
Or maybe I should go ahead and bother the amazon kinesis client guys? ;-)
niyatim23
commented
2 years ago Hi @BoyeMagnus, there was a recent release for amazon-kinesis-client in February after our release. The newest version of the amazon-kinesis-client would fix this. We'll work on updating this for the parser library and let you know once we have something
niyatim23
commented
2 years ago Hi @BoyeMagnus, the release 1.2.4 is available on GitHub as well as Maven. Please check if the update fixes your issue. Closing this issue for now. Feel free to reopen it in case of any further questions
We are using the latest amazon-kinesis-video-streams-parser-library (v 1.2.1) to grab an audio stream and save the audio to S3. However, there are several security vulnerabilities in this aws owned library (jar) file. One such depenency is the log4j v1.2.17 vulnerability. It is used by the slf4j dependency.
Is there a plan to update this library?