Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient CookieStore #23725

Merged
merged 1 commit into from
Dec 13, 2024
Merged

[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient CookieStore #23725

merged 1 commit into from
Dec 13, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Dec 12, 2024
edited
Loading

Motivation

See CVE-2024-53990. There aren't backend services in Pulsar that would use cookies, however since it's a high severity vulnerability, there's a need to mitigate it. Eventually we will need to upgrade to AsyncHttpClient 3.0.1 to get rid of the vulnerable dependency AsyncHttpClient 2.12.x.

Modifications

  • As a mitigation, disable CookieStore by setting it to null
  • This PR doesn't upgrade to AsyncHttpClient 3.0.1
    • Upgrading to AsyncHttpClient 3.0.1 will be more work. It will be handled separately.

Additional context

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
a838d39 
…eStore

- Disable CookieStore by setting it to null in all locations
@lhotari lhotari added this to the 4.1.0 milestone Dec 12, 2024
@lhotari lhotari self-assigned this Dec 12, 2024
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Dec 12, 2024
@lhotari lhotari mentioned this pull request Dec 12, 2024
Closed
@lhotari lhotari mentioned this pull request Dec 13, 2024
Merged
@codecov-commenter
Copy link

codecov-commenter commented Dec 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.38%. Comparing base (bbc6224) to head (a838d39).
Report is 789 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #23725      +/-   ##
============================================
+ Coverage     73.57%   74.38%   +0.81%     
- Complexity    32624    34559    +1935     
============================================
  Files          1877     1945      +68     
  Lines        139502   147486    +7984     
  Branches      15299    16277     +978     
============================================
+ Hits         102638   109713    +7075     
- Misses        28908    29306     +398     
- Partials       7956     8467     +511
Flag Coverage Δ
inttests 27.29% <20.00%> (+2.70%) ⬆️
systests 24.35% <20.00%> (+0.03%) ⬆️
unittests 73.77% <100.00%> (+0.93%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...hentication/oidc/AuthenticationProviderOpenID.java 73.65% <100.00%> (-3.14%) ⬇️
...client/admin/internal/http/AsyncHttpConnector.java 85.21% <100.00%> (-1.21%) ⬇️
.../pulsar/client/impl/ControlledClusterFailover.java 65.38% <100.00%> (+0.33%) ⬆️
...java/org/apache/pulsar/client/impl/HttpClient.java 80.76% <100.00%> (+2.57%) ⬆️
.../client/impl/auth/oauth2/protocol/TokenClient.java 81.25% <100.00%> (+0.39%) ⬆️

... and 667 files with indirect coverage changes

@lhotari lhotari merged commit 51e8247 into apache:master Dec 13, 2024
57 of 59 checks passed
lhotari added a commit that referenced this pull request Dec 13, 2024
@lhotari
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
6e98d4a 
…eStore (#23725)

(cherry picked from commit 51e8247)
lhotari added a commit that referenced this pull request Dec 13, 2024
@lhotari
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
d92f42d 
…eStore (#23725)

(cherry picked from commit 51e8247)
lhotari added a commit that referenced this pull request Dec 13, 2024
@lhotari
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
78274a7 
…eStore (#23725)

(cherry picked from commit 51e8247)
@lhotari lhotari mentioned this pull request Dec 18, 2024
Closed
3 tasks
nikhil-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 19, 2024
@lhotari @nikhil-ctds
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
105a598 
…eStore (apache#23725)

(cherry picked from commit 51e8247)
(cherry picked from commit 78274a7)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Dec 23, 2024
@lhotari @srinath-ctds
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
9bbbc22 
…eStore (apache#23725)

(cherry picked from commit 51e8247)
(cherry picked from commit 78274a7)
nodece pushed a commit to ascentstream/pulsar that referenced this pull request Dec 27, 2024
@lhotari @nodece
[fix][sec] Mitigate CVE-2024-53990 by disabling AsyncHttpClient Cooki…
1f7c296 
…eStore (apache#23725)

(cherry picked from commit 51e8247)
Signed-off-by: Zixuan Liu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nodece nodece nodece approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

Assignees

@lhotari lhotari

Labels
cherry-picked/branch-3.0 cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.9 release/3.3.4 release/4.0.2
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
3 participants
@lhotari @codecov-commenter @nodece