Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Amazon Ion-Java has a vulnerability CVE-2024-21634 #22632

Closed
2 of 3 tasks
nikhil-ctds opened this issue May 2, 2024 · 0 comments · Fixed by #22633
Closed
2 of 3 tasks

[Bug] Amazon Ion-Java has a vulnerability CVE-2024-21634 #22632

nikhil-ctds opened this issue May 2, 2024 · 0 comments · Fixed by #22633
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@nikhil-ctds
Copy link

Search before asking

  • I searched in the issues and found nothing similar.

Read release policy

  • I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

Version - 3.3.0-SNAPSHOT
Branch - master

Minimal reproduce step

Ran security scan on pulsar-io-kinesis connector
https://security.snyk.io/vuln/SNYK-JAVA-SOFTWAREAMAZONION-6153869

What did you expect to see?

No Vulnerabilities

What did you see instead?

Found a High Vulnerability on software.amazon.ion:ion-java version 1.0.2
CVE-2024-21634
Github Advisory link - GHSA-264p-99wq-f4j6)

Anything else?

Pulsar doesn't have a direct dependency on Ion-java
Pulsar has a dependency on aws-java-sdk-core

<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<version>1.12.262</version>

Which in-turn has a dependency on ion-java

<groupId>software.amazon.ion</groupId>
<artifactId>ion-java</artifactId>
<version>1.0.2</version>

The patch is for ion-java included in 1.10.5 version as mentioned here

The domain name has changed from software.amazon.ion to com.amazon.ion
https://mvnrepository.com/artifact/com.amazon.ion/ion-java/1.10.5

Aws-sdk-java-core has dropped the ion dependency in v1.12.638

The fix would be to update the aws-sdk-java-core version to <version>1.12.638</version> in pulsar

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@nikhil-ctds nikhil-ctds added the type/bug The PR fixed a bug or issue reported a bug label May 2, 2024
@nikhilerigila09 nikhilerigila09 mentioned this issue May 2, 2024
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fix][sec] Upgrade aws-sdk.version to avoid CVE-2024-21634 cognitree/pulsar
1 participant
@nikhil-ctds