[ISSUE] Vulnerability GO-2022-0646 in AWS SDK Go

[drodriguez-305]

Describe the issue: We have identified a security vulnerability, referenced as GO-2022-0646, in our project that uses the AWS SDK for Go. This vulnerability arises from using the V1 EncryptionClient, specifically with AES-CBC content cipher or the KMS key wrap algorithm. An attacker with write access to an S3 bucket could potentially decrypt files in that bucket.

It can only be triggered, though, if a particular, deprecated function is called. We would need to confirm this.

How to reproduce: https://github.com/camunda/camunda-platform-helm/blob/18d18939c7243ba95f34333a818f887eb10fa5af/go.mod#L15

Possible Solutions/Workarounds:

• Migrating from the V1 EncryptionClient to the V1 EncryptionClientV2 API in AWS SDK for Go as recommended.
• Assessing the feasibility of updating our project to use AWS SDK for Go v2, which may offer more robust security features and is not affected by this vulnerability.
• Confirm its a false positive by ensuring the deprecated function is not called.

Useful Links:

• https://security.googleblog.com/2023/04/supply-chain-security-for-go-part-1.html
• https://osv.dev/vulnerability/GO-2022-0646
• https://github.com/golang/vulndb/issues/2350

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

• AWS SDK for Go version: 1.44.122
• Platform:
• Helm CLI version:
• Chart version:
• Values file:

[drodriguez-305]

@aabouzaid

Can we remove this dependency as it is indirect?

[aabouzaid]

@drodriguez-305 We cannot remove them since they are needed by the module we use github.com/gruntwork-io/terratest. I've checked the latest version and of terratest and I see that it uses the vulnerable version.

So let's ignore them as described in the remediation section using osv-scanner.toml.