search

spring-cloud / spring-cloud-stream-binder-aws-kinesis

Spring Cloud Stream binder for AWS Kinesis
Apache License 2.0
98 stars 97 forks source link

Vulnerabilities in version 4.0.3 from amazon-kinesis-producer #220

Open louiscb opened 3 months ago

louiscb commented 3 months ago

In what version(s) of Spring Cloud Stream Binder for AWS Kinesis are you seeing this issue?

4.0.3

Describe the bug

According to JetBrain's vulnerability tool there are two vulnerabilities caused by dependencies of maven:com.amazonaws:amazon-kinesis-producer:0.15.10

Running mvn dependency:tree you can see the dependencies of the project.

1) Dependency maven:software.amazon.ion:ion-java:1.0.2 is vulnerable

CVE-2024-21634, Score: 7.5

Amazon Ion is a Java implementation of the Ion data notation. In versions prior to 1.10.5, a potential denial-of-service (DoS) attack issue exists in 'ion-java' for applications that use "ion-java" to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the "IonValue" model and then invoke certain "IonValue" methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the "IonValue" model, results in a StackOverflowError originating from the "ion-java" library. As a workaround, do not load data that originated from an untrusted source or that could have been tampered with.

Read More: https://devhub.checkmarx.com/cve-details/CVE-2024-21634?utm_source=jetbrains&utm_medium=referral

Results powered by Checkmarx ©

2) Dependency maven:com.google.guava:guava:31.1-jre is vulnerable

Upgrade to 32.0.0-android

CVE-2023-2976, Score: 7.1

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 through 31.1-jre on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-2976?utm_source=jetbrains&utm_medium=referral

Results powered by Checkmarx ©

To Reproduce

In IntelliJ JetBrains use the vulnerable dependencies tool in a project that has spring-cloud-stream-binder-kinesis as a dependency.

Expected behavior

No vulnerabilities.

artembilan commented 3 months ago

I believer both of those reports are false-positive since we talk here about a producer, so even if that KPL uses Ion for serialization, there is definitely no deserialization to be vulnerable. Same about Google Guava and its vulnerability for those temporary files. Either way we don't manage those dependencies directly in this project: they come transitively by PKL library. As you see we currently indeed use the latest version of KPL, so the question about upgrading those transitive dependencies is definitely up to AWS by itself.

Why do you report it here? What would you expect from us as a fix in this project?