Use of deprecated ion-java

[zdenda-online]

Describe the bug

In 2020 ion-java was migrated to different maven coordinates but unfortunately AWS SDK still uses the older one.

That itself wouldn't be a big deal. However, there are some security vulnerabilities reported to ion-java (e.g. CVE-2024-21634) with high+ CVSS. Having dependency on older ion-java makes fix of this vulnerability hard.

Expected Behavior

AWS SDKs use correct ion-java with group ID com.amazon.ion

Current Behavior

AWS SDKs use old ion-java group ID software.amazon.ion

Reproduction Steps

Run OWASP security check (no matter the tool) and see what CVEs from ion-java gets produced.

Possible Solution

Migrate to newer ion-java (currently 1.11.0) that have security issues resolved (it is also better for future patches).

Additional Information/Context

No response

AWS Java SDK version used

1.12.634

JDK version used

any

Operating System and version

any

[berry120]

Just to add to this - we're facing the same issue with the CodeGuru Java Profiler Agent which I don't think is set up to use the core SDK - it's using a version of 1.5.2 which also has the CVE that we're trying to get rid of.

[debora-ito]

Acknowledged the CVE. We'll review #2969.

@berry120 we are not the maintainers of 'codeguru-profiler-java-agent', I'll reach out to the team that maintains it.

[berry120]

@debora-ito Appreciate it, thank you! Is there another repository I should open an issue on to keep in touch with the correct team?

[debora-ito]

I couldn't find one after a quick search. But I opened an internal ticket, I'll update here when I hear back from them.

[berry120]

@debora-ito Thank you very much!

[cedricmillet]

+1

[baldram]

I couldn't find one after a quick search. But I opened an internal ticket, I'll update here when I hear back from them.

Thank you @debora-ito. Since the CVE is classified as high severity, any information regarding the current status would be greatly appreciated. This is important even if a prolonged wait for a resolution from the aforementioned team is expected. Knowing this will help us determine if there is a need for potential workarounds, such as forcing a version for a transitive dependency.

[codingtim]

Forcing the transitive dependency version will not help as the v1.0.2 uses packages under software.amazon.ion
the new version with the fix uses com.amazon.ion as package. So the 2 versions are incompatible.
Perhaps it is possible to exclude the dependency if it is unused? I am not really sure where in the sdk this library is used.

[baldram]

Perhaps it is possible to exclude the dependency if it is unused?

Thank you @codingtim for clarification and great hint! Actually, it's theoretically possible. I come from Scala world and with SBT it's like this: https://www.baeldung.com/scala/sbt-exclude-dependencies#exclude-dependencies-from-all-dependencies, while with Maven it should be similar I guess.

I am not really sure where in the sdk this library is used.

This is indeed a good question. I would prefer to steer clear of any "hacking" approaches and the associated risks, as forcing excluding could potentially lead to further complications. However, continuing to operate with a "high" vulnerability is also undesirable. It would be beneficial to ascertain the expected timeframe for the resolution of this issue (cc: @debora-ito). If we are aware that the solution will not be forthcoming in the near future, this understanding would suggest that we should proceed with implementing a workaround.

[jeffalder]

I am not really sure where in the sdk this library is used

@codingtim @baldram #2969 this PR removes Ion entirely, so that should list all the locations.

The problem is that the coordinates (group and artifact) changed ... and the class package names changed. So as far as Java is concerned, com.amazon.ion and software.amazon.ion are completely unrelated.

I might explore just excluding the dependency. Unfortunately, the way the class name is specified in the code, class loading related JSON modules may fail.

[baldram]

this PR removes Ion entirely, so that should list all the locations.

Yep, unfortunately AWS's communication on this matter is quite sparse. @zdenda-online inquired about the ETA for the merge, but received no response. But let's wait for the developments.

[jeffalder]

let's wait for the developments

Indeed. However, I'm going to start working towards replacing the AWS SDK v1 with v2, which doesn't use the vulnerable library... and is the recommended path regardless.

[davidh44]

Ion has been removed from Java v1

[github-actions]

COMMENT VISIBILITY WARNING

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[rogierslag]

Ion has been removed from Java v1

Thanks! Will there shortly be a release 1.12.639 where the dependency is removed?

[davidh44]

Thanks! Will there shortly be a release 1.12.639 where the dependency is removed?

The dependency was removed as part of the 1.12.638 release

[baldram]

I'm going to start working towards replacing the AWS SDK v1 with v2, which doesn't use the vulnerable library... and is the recommended path regardless.

This is very sound advice and the right approach. However, there is a case where SDK V2 still uses dependencies from V1. 😞 Therefore, until the release of V3, we must maintain the deprecated dependency and respond to vulnerabilities like this one. (aws/aws-xray-sdk-java#92).

Thank you to the AWS team for their response and for issuing the fix.

[debora-ito]

@berry120 just got an update from the CodeGuru Profiler team, they released a new version that upgraded ion-java to 1.11.1.

Please upgrade to codeguru-profiler-java-agent to 1.2.3.

[berry120]

@debora-ito Thanks very much!