PRISMA-2021-0055 vulnerability in latest ibm-cos-java-sdk-bundle-2.9.1.jar
tcherel opened this issue · comments
We are getting a vulnerability report on ibm-cos-java-sdk-bundle-2.9.1.jar about the shaded commons-codec 1.11 dependency that should be upgraded to 1.13 or higher.
I am not able to find much details about what PRISMA-2021-0055 is.
Is it possible to schedule an update of commons-codec to 1.13 or to the latest version so it is current?
Thanks.
Could you provide more details on the vulnerability report? Could that number be a tool-specific reference?
There is an upstream issue on this topic: aws/aws-sdk-java#125. The only reference to commons-codec
is the main pom.xml
. No version is listed, so there is nothing to update. We already updated HttpClient
to 4.5.13 (the latest) as part of our recent release.
Thanks @IBMeric
Yes, it is a tool specific reference and I am still trying to get the details from the vendor.
But I suspect that this is related to the known commons-codec 1.11 vulnerability described here: https://issues.apache.org/jira/browse/HTTPCLIENT-2072
ibm-cos-java-sdk-bundle-2.9.1.jar contains the META-INF/maven/commons-codec/commons-codec/pom.xml file which makes an explicit reference to commons-codec 1.11
I believe that this jar file contains its own copy of commons-codec 1.11 (shaded dependency) which is why the scanning tool is raising this issue.
@IBMeric any update about this?
The latest main pom.xml for aws-sdk-java is defining an explicit codec version to be be 1.15, see https://github.com/aws/aws-sdk-java/blob/master/pom.xml#L342
I am not clear as why ibm-cos-sdk is still referencing coded 1.11
Thanks.
Thanks for the link. That change was made after this ticket was opened. We can include it in our next release. Do you know if this will satisfy your scanner?
@IBMeric yes, I am confident that it will.
Even if we did not manage to find a lot of details about PRISMA-2021-0055, the scanner explicitly says that the issue is fixed in commons-codec 1.13 or higher.
We have other packages that are using commons-codec 1.13, 1.14 or 1.15 and none of them are flagged by the scanner.
Do you have an ETA (even a rough one) for the next release where this could be fixed?
Sorry for the late reply. The work is scheduled but I haven't been able to get a release commitment internally yet. I will bring this up again today.
We have confirmed the fix and will put it in the next bug fix release. There is another fix in the works, so the plan is to release both together.
Thanks @IBMeric
Do you have an ETA (even a rough one) for the next bug fix release?
Any ETA on this fix?
The release will either be this week or early next week.