hertzbeat icon indicating copy to clipboard operation
hertzbeat copied to clipboard
verified publisher icon apache

[BUG] SECURITY: hertzbeat uses bouncycastle jars that have multiple CVEs

Open pjfanning opened this issue 5 months ago • 11 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

BouncyCastle no longer ship jdk15on jars. Projects should use the jdk18on ones instead. The jdk15on jars were for Java 1.5 users and fixes that have been made to the jdk18on jars (Java 1.8 compatible) have not been backported - including security fixes.

The last Hertzbeat RC had bcprov-jdk15on-1.69.jar

  • https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.69
  • https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on (1.81 current latest)

The classe names and packages are the same.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

HertzBeat version(s):

Debug logs

No response

Anything else?

No response

pjfanning avatar Jul 02 '25 17:07 pjfanning

Got it thanks.

tomsun28 avatar Jul 03 '25 01:07 tomsun28

I would like to try this. Can assign to me please?

gns34 avatar Jul 03 '25 11:07 gns34

Hi @pjfanning , can you please assign this to me?

MadhuriRathod30 avatar Jul 03 '25 12:07 MadhuriRathod30

Hi @pjfanning , can you please assign this to me?

I don't have this access.

pjfanning avatar Jul 03 '25 13:07 pjfanning

Hi @tomsun28 , can you please assign this to me ?

MadhuriRathod30 avatar Jul 03 '25 13:07 MadhuriRathod30

hi @MadhuriRathod30 welcome, this has assigned to you.

hi @gns34 sorry for that. Lady first. If you have any other task want to try, please @ me.

tomsun28 avatar Jul 03 '25 14:07 tomsun28

Sure, No Problem

gns34 avatar Jul 03 '25 15:07 gns34

Hi @tomsun28 thank you.

MadhuriRathod30 avatar Jul 04 '25 05:07 MadhuriRathod30

Hi @tomsun28 ,

I did some research and found out that Bouncy castle is not a direct dependency but a transitive dependency used by com.vesoft:client. So now to fix the bug it is required that we exclude the transitive Bouncy Castle 1.69 version and explicitly add the latest stable release, which is currently 1.81 (as of July 2025).

However, this change introduces some maintenance overhead, as we now need to manually manage the version compatibility with any updates in com.vesoft:client. Please let me know if you're okay with proceeding with this approach.

For your reference adding the link for current Bouncy Castle version used by Vespa Client: Maven Central: https://central.sonatype.com/artifact/com.vesoft/client

Let me know your thoughts on this. I'm happy to proceed with the change if we agree on the direction.

MadhuriRathod30 avatar Jul 05 '25 09:07 MadhuriRathod30

hi @MadhuriRathod30 👍 I find the com.vesoft:client is introduced by hertzbeat-collector/hertzbeat-collector-nebulagraph pom. I think your solution is good, but we need to pay attention to the availability of the code after upgrading or removing bcprov. cc @zhangshenghang

tomsun28 avatar Jul 05 '25 09:07 tomsun28

I created https://github.com/vesoft-inc/nebula-java/pull/618 but there is no guarantee

  • that vesoft will accept it
  • do a release any time soon

While I would prefer if Hertzbeat made the change suggested by @MadhuriRathod30, since the Bouncy Castle dependency is transitive, it may be ok to stick with the dependency as is.

It's a pity that vesoft don't maintain their dependencies. There are other CVEs associated with their okhttp dependency etc. They have also gone and chosen dependencies to maximise inconvenience to their users.

pjfanning avatar Jul 05 '25 09:07 pjfanning