azure-sdk-for-android icon indicating copy to clipboard operation
azure-sdk-for-android copied to clipboard

Published 20 hours ago verified publisher icon Azure

[BUG]Vulnerable shared libraries might make azure-communication-calling vulnerable. Can you help upgrade to patch versions?

Open HelenParr opened this issue 3 years ago • 1 comments

Hi, @anuchandy , @vcolin7, I'd like to report a vulnerability issue in com.azure.android:azure-communication-calling:2.1.0-beta.1.

Issue Description

com.azure.android:azure-communication-calling:2.1.0-beta.1 directly or transitively depends on 23 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

llibskypert.so from C project openssl(version:1.1.1i) exposed 2 vulnerabilities: CVE-2021-3711, CVE-2021-3712 libxeengine.so from C project libpng(version:1.6.16) exposed 4 vulnerabilities: CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, following call chains can reach the vulnerable method(C code) EC_GROUP_new_from_ecparameters() in file crypto/ec/ec_asn1.c reported by CVE-2021-3712.

call chains-----
TS_CONF_set_certs()->TS_CONF_load_certs()->PEM_X509_INFO_read_bio()->d2i_ECPrivateKey()->EC_GROUP_new_from_ecpkparameters()->EC_GROUP_new_from_ecparameters()

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l libpng has fixed the vulnerabilities in versions >=1.6.37

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

HelenParr avatar Apr 26 '22 09:04 HelenParr

Hi @HelenParr, thank you for bringing this to our attention. Could you take a look @jsaurezlee-msft? Thanks :)

vcolin7 avatar Apr 27 '22 00:04 vcolin7

Hi @HelenParr, we deeply appreciate your input into this project. Regrettably, this issue has remained inactive for over 2 years, leading us to the decision to close it. We've implemented this policy to maintain the relevance of our issue queue and facilitate easier navigation for new contributors. If you still believe this topic requires attention, please feel free to create a new issue, referencing this one. Thank you for your understanding and ongoing support.

github-actions[bot] avatar Apr 26 '24 18:04 github-actions[bot]