CVE-2023-6378

[dreamglobe]

Expected behavior

not to include shaded dependencies inside jar

Actual behavior

shaded dependency has a vulnerability and I cannot fix it

To Reproduce

Run trivy check and it will alert:

Java (jar)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌─────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ ch.qos.logback:logback-classic │ CVE-2023-6378 │ HIGH │ fixed │ 1.2.12 │ 1.3.12, 1.4.12 │ A serialization vulnerability in logback receiver component │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ part of l ...... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6378 │ ├─────────────────────────────────────────────────┤ │ │ │ │ │ │ │ ch.qos.logback:logback-core │ │ │ │ │ │ │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────────────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ io.netty:netty-codec-http2 │ GHSA-xpw8-rcwv-8f8p │ │ │ 4.1.90.Final │ 4.1.100.Final │ io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ Attack │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p │ └─────────────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

System information

Please provide the following information:

• SDK Version: 21
• OS type and version: everyone
• Application Server type and version (if applicable):
• Using spring-boot? doesn't matter
• Additional relevant libraries (with version, if applicable):

Logs

no need for logs

Screenshots

not applicable

[trask]

hi @dreamglobe!

Shading these dependencies is important to ensure that the Application Insights Java agent doesn't break existing applications by introducing conflicting versions of a library.

Netty 4.1.100.Final is already part of the most recent 3.4.18 release.

Logback 1.3.12 will be part of the upcoming December release. Based on the description at https://logback.qos.ch/news.html#1.3.12 it's not exploitable in the context of the Application Insights Java agent.

[omni-htg]

@trask Apologies for dropping in. Both packages already have newer versions than those mentioned -- would it be possible to up them for the December release? Thanks!

[trask]

yes, these are already updated in main: #3381 and #3420

[RajaduraiAz]

@trask I am new here When Can we expect the December Release?

[trask]

It's targeted 1 week after the upstream OpenTelemetry Java Instrumentation release, which currently puts it at Dec 20, but with holidays and potential upstream delays, it's more likely to slip a bit this month.

[22041996]

Hi @trask ,

Whether the release was done. We are still having this high vulnerability in our system.

[heyams]

https://github.com/microsoft/ApplicationInsights-Java/pull/3420,

this was released in Dec. Which version of java agent are you using? Are you sure it is from our Java agent?

[RajaduraiAz]

Hi @trask

3.4.19 version shows high vulnerability CVE-2023-52428

[heyams]

Hi @trask

3.4.19 version shows high vulnerability CVE-2023-52428

that was still under investigation, right? they haven't confirmed which versions were impacted.

[trask]

hi @RajaduraiAz, can you open a new issue for this, since it's a different/new CVE?