search

cognitect-labs / aws-api

AWS, data driven
Apache License 2.0
731 stars 100 forks source link

cognitect aws-api dependency security issues #249

Closed timotheosh closed 9 months ago

timotheosh commented 11 months ago

Current version of the aws-api have started throwing Snyk alerts on us because of the outdated jetty dependency of Cognitect's http-client

 ✗ Improper Handling of Length Parameter Inconsistency [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-5902998] in org.eclipse.jetty:jetty-http@9.4.51.v20230217
    introduced by com.cognitect.aws:api@0.8.681 > com.cognitect:http-client@1.0.125 > org.eclipse.jetty:jetty-http@9.4.51.v20230217
  This issue was fixed in versions: 9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.1
  ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-5958847] in org.eclipse.jetty:jetty-http@9.4.51.v20230217
    introduced by com.cognitect.aws:api@0.8.681 > com.cognitect:http-client@1.0.125 > org.eclipse.jetty:jetty-http@9.4.51.v20230217
  This issue was fixed in versions: 9.4.53.v20231009, 10.0.16, 11.0.16

I realize this is an http server issue and not a client issue, so does not affect the aws-api directly, but we are having to put in Snyk exceptions for every project we use this library for with a maximum expiration of 90 days (imposed by our Security team).

Jetty 9.4.x only supports Java 8, while latter supported versions support Java 11+. While this, as far as we can tell, does not directly impact our use of aws-api, I think this is an important enough issue to start tracking. Since Cognitect's http-client is not open source (as far as we can tell) we can't offer any PR's for it.

We also noticed that it looks like aws-api already has the makings of its own http-client (src/cognitect/aws/http.clj). Is there any reason why aws-api should need to use the older Cognitect library over its own?

This issue is related to #245 that an associate of mine submitted a month ago.

scottbale commented 10 months ago

Hi @timotheosh,

My two-part answer:

First, most immediately, we are awaiting a new release of the cognitect http client library which will depend on Jetty 9.4.53 (the latest 9.4.x as of this writing, and which fixes the vulnerability you mention). Once it is available, and I'm told it will be soon, we will release a new version of aws-api with it. I expect this to happen within a matter of not very many weeks, at worst.

Second, longer term, we have been working on a different http client implementation, one which depends only on the JDK's java.net.http module starting with JDK 11.

Solving the Jetty 9.x transitive dependency problem is our top priority.

scottbale commented 9 months ago

Hello again @timotheosh,

I'm going to close this as fixed with the release of 0.8.692 which pulls in Jetty 9.4.53, the latest Jetty 9.x.