PRISMA-2021-0055 vulnerability in latest ibm-cos-java-sdk-bundle-2.9.1.jar

Question

PRISMA-2021-0055 vulnerability in latest ibm-cos-java-sdk-bundle-2.9.1.jar

tcherel opened this issue 3 years ago · comments

We are getting a vulnerability report on ibm-cos-java-sdk-bundle-2.9.1.jar about the shaded commons-codec 1.11 dependency that should be upgraded to 1.13 or higher.
I am not able to find much details about what PRISMA-2021-0055 is.
Is it possible to schedule an update of commons-codec to 1.13 or to the latest version so it is current?
Thanks.

IBMeric · Answer 1 · Fri Mar 26 2021 02:25:52 GMT+0800 (China Standard Time)

Could you provide more details on the vulnerability report? Could that number be a tool-specific reference?

There is an upstream issue on this topic: aws/aws-sdk-java#125. The only reference to commons-codec is the main pom.xml. No version is listed, so there is nothing to update. We already updated HttpClient to 4.5.13 (the latest) as part of our recent release.

tcherel · Answer 2 · Mon Mar 29 2021 20:33:25 GMT+0800 (China Standard Time)

Thanks @IBMeric
Yes, it is a tool specific reference and I am still trying to get the details from the vendor.
But I suspect that this is related to the known commons-codec 1.11 vulnerability described here: https://issues.apache.org/jira/browse/HTTPCLIENT-2072

ibm-cos-java-sdk-bundle-2.9.1.jar contains the META-INF/maven/commons-codec/commons-codec/pom.xml file which makes an explicit reference to commons-codec 1.11
I believe that this jar file contains its own copy of commons-codec 1.11 (shaded dependency) which is why the scanning tool is raising this issue.

tcherel · Answer 3 · Fri May 28 2021 16:52:36 GMT+0800 (China Standard Time)

@IBMeric any update about this?
The latest main pom.xml for aws-sdk-java is defining an explicit codec version to be be 1.15, see https://github.com/aws/aws-sdk-java/blob/master/pom.xml#L342
I am not clear as why ibm-cos-sdk is still referencing coded 1.11
Thanks.

IBMeric · Answer 4 · Sat May 29 2021 00:47:22 GMT+0800 (China Standard Time)

Thanks for the link. That change was made after this ticket was opened. We can include it in our next release. Do you know if this will satisfy your scanner?

tcherel · Answer 5 · Sat May 29 2021 04:54:23 GMT+0800 (China Standard Time)

@IBMeric yes, I am confident that it will.
Even if we did not manage to find a lot of details about PRISMA-2021-0055, the scanner explicitly says that the issue is fixed in commons-codec 1.13 or higher.
We have other packages that are using commons-codec 1.13, 1.14 or 1.15 and none of them are flagged by the scanner.
Do you have an ETA (even a rough one) for the next release where this could be fixed?

IBMeric · Answer 6 · Tue Jun 15 2021 00:27:15 GMT+0800 (China Standard Time)

Sorry for the late reply. The work is scheduled but I haven't been able to get a release commitment internally yet. I will bring this up again today.

tcherel · Answer 7 · Thu Jun 17 2021 00:57:54 GMT+0800 (China Standard Time)

Thanks @IBMeric
Any (good) news?

IBMeric · Answer 8 · Thu Jul 01 2021 02:41:22 GMT+0800 (China Standard Time)

We have confirmed the fix and will put it in the next bug fix release. There is another fix in the works, so the plan is to release both together.

tcherel · Answer 9 · Fri Jul 02 2021 20:20:41 GMT+0800 (China Standard Time)

Thanks @IBMeric
Do you have an ETA (even a rough one) for the next bug fix release?

Christopher Jackson · Answer 10 · Wed Jul 07 2021 04:46:34 GMT+0800 (China Standard Time)

Any ETA on this fix?

IBMeric · Answer 11 · Thu Jul 08 2021 02:33:03 GMT+0800 (China Standard Time)

The release will either be this week or early next week.

IBMeric · Answer 12 · Wed Jul 14 2021 00:29:10 GMT+0800 (China Standard Time)

@tcherel We have published 2.10.1. Could you verify your issue has been resolved and close this ticket?

tcherel · Answer 13 · Wed Jul 14 2021 05:23:49 GMT+0800 (China Standard Time)

Thanks @IBMeric
I confirm that 2.10.1 is fixing the security scan issue.
Closing.