search

aws / aws-sdk-java

The official AWS SDK for Java 1.x (In Maintenance Mode, End-of-Life on 12/31/2025). The AWS SDK for Java 2.x is available here: https://github.com/aws/aws-sdk-java-v2/
https://aws.amazon.com/sdkforjava
Apache License 2.0
4.13k stars 2.83k forks source link

[Security vulnerability] Upgrade Jackson-core package to the latest version in aws-sdk-bundle #3126

Closed Poojitha-R-Rao closed 3 months ago

Poojitha-R-Rao commented 4 months ago

Upcoming End-of-Support

Describe the bug

aws-sdk-bundle-1.12.755.jar and all the prior versions use jackson-core version 2.12.7, which is vulnerable as per below description.

PRISMA-2023-0067 - Description: com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption (\'Resource Exhaustion\').

Please help to upgrade jackson core to the latest version 2.17.1

Expected Behavior

N/A

Current Behavior

N/A

Reproduction Steps

N/A

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

aws-sdk-bundle-1.12.755

JDK version used

openjdk version "11.0.23"

Operating System and version

N/A

debora-ito commented 4 months ago

@Poojitha-R-Rao is there a CVE associated with this PRISMA report?

The vulnerability description is too generic to understand if the SDK is impacted.

Poojitha-R-Rao commented 4 months ago

@debora-ito - No, we do not have a direct CVE, but we have references from other places (please find links below). Our twistlock scans revealed this. Please upgrade jackson-core to the latest. https://github.com/DataDog/dd-trace-java/issues/5844 https://github.com/zendesk/maxwell/issues/2013 https://lists.apache.org/thread/foz49f5nqt6splrhpc21okqkfgpyz68r https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426

L-Applin commented 4 months ago

I cannot find online references to the PRISMA-2023-0067 vulnerability. If this is about to CVE-2022-42003, the SDK is not at risk as it does not use the UNWRAP_SINGLE_VALUE_ARRAYS feature. Do you have more information about the vulnerability you are referring so that we can evaluate if the SDK is at risk or not?

github-actions[bot] commented 4 months ago

It looks like this issue has not been active for more than five days. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please add a comment to prevent automatic closure, or if the issue is already closed please feel free to reopen it.

debora-ito commented 4 months ago

We are looking into upgrading jackson based on the changes made in a jackson-core PR associated with the PRISMA report.

The jackson PR won't be backported to 2.12.x, and we can't simply upgrade the dependency to 2.15 without breaking, so we'll study what changes are needed on the SDK side to support the jackson upgrade.

debora-ito commented 3 months ago

We upgraded jackson to 2.17.2 in the latest SDK release 1.12.768:-

https://github.com/aws/aws-sdk-java/blob/cde0d2a7d49f776c8db99d7c4f946ebbd9e6c238/pom.xml#L429-L430

In order to upgrade the jackson version we had to drop support for Java 7, so starting with SDK version 1.12.768 Java 8+ is required. See more details in the blog post announcement: https://aws.amazon.com/blogs/developer/the-aws-sdk-for-java-1-x-will-no-longer-support-java-7/

Let us know if you have any questions or feedback.