async-http-client (AHC) 2.12.4 has been released with a fix for CVE-2024-53990. This is how we avoided replacing AsyncHttpClient with some other HttpClient that supports Netty and Java 8.
This upgrade to AHC 2.12.4 has been made in PR https://github.com/apache/pulsar/pull/23732. The security advisory of CVE-2024-53990 [1] has been updated to include the information that 2.12.4 addresses the vulnerability. In addition to AHC 2.12.4 upgrade, persistent cookies are disabled in the async-http-client usage in Pulsar with https://github.com/apache/pulsar/pull/23725. There's currently no dependency on cookies within the Pulsar code base. The upcoming Pulsar 3.0.9 and Pulsar 4.0.2 releases will contain this fix. Please note that the support for Pulsar 3.3.x has ended on December 5th [2] and no releases are currently planned for it. A 3.3.4 release could happen if the community decides that a release is needed due to this security vulnerability and there's a volunteer for running the release. I can handle Pulsar 3.0.9 and 4.0.2 releases in the release manager role. Before the Pulsar 4.0.2 release, there's a need to address incompatibility of Netty native libraries with the Pulsar Alpine image. The issue is https://github.com/apache/pulsar/issues/23717. Due to this open critical issue and holidays, I'd suggest a schedule where the release candidates for 3.0.9 and 4.0.2 would go out for voting on January 3rd, 2025. The ETA for the releases would be January 10th, 2025. -Lari 1 - https://github.com/advisories/GHSA-mfj5-cf8g-g2fv 2 - https://pulsar.apache.org/contribute/release-policy/ On 2024/12/15 18:33:54 Lari Hotari wrote: > It looks like a AHC 2.12.x release is planned with the fix: > https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2543985990 > > -Lari > > On 2024/12/13 13:18:56 Lari Hotari wrote: > > Hi everyone, > > > > I wanted to bring up the recent critical severity vulnerability > > (CVE-2024-53990 [1]) discovered in AsyncHttpClient versions <3.0.1, > > which affects our current dependency on AsyncHttpClient 2.12.x in the > > Pulsar Java client and Admin client. > > > > In standard use cases, Pulsar doesn't use cookies, so the > > AsyncHttpClient CookieStore is not used. Therefore, this vulnerability > > is not directly applicable to Pulsar. > > Although this is our current understanding, I have created PR #23725 > > [2] that implements an immediate mitigation by disabling the > > CookieStore for our uses of AsyncHttpClient. Since Pulsar doesn't use > > cookies, this is a feasible mitigation to declare that CVE-2024-53990 > > doesn't apply to Pulsar. While disabling the CookieStore mitigates the > > actual vulnerability, many organizations have security policies that > > require complete elimination of dependencies with critical > > vulnerabilities. The current mitigation approach (null CookieStore) > > may not satisfy these compliance requirements. > > > > However, we face a significant challenge: AsyncHttpClient 3.0.1 (the > > fixed version) requires Java 11+, while the Pulsar Java client and > > Admin client must maintain Java 8 compatibility. > > AsyncHttpClient 2.12.x is not maintained, and I'm not aware of plans > > to address CVE-2024-53990 in AHC 2.12.x. I've reached out to AHC > > maintainers [3] to explore the possibility of backporting the fix to > > the 2.12.x branch to maintain Java 8 support, as this would be our > > ideal solution. > > > > Since it's unlikely that AHC will backport the fix to 2.12.x and make > > a release with a quick schedule, we need to consider migrating to > > alternative HTTP clients or raising the minimum Java version > > requirement for the Pulsar Java client and Admin client from Java 8 to > > Java 11+. > > Initial research suggests Reactor Netty's HttpClient [4][5] as a > > potential candidate for replacing AsyncHttpClient in Pulsar, as it is > > Netty-based, supports Java 8, and is actively maintained. > > > > I would appreciate the community's thoughts on: > > - Which approach seems most viable? > > - Are there other HTTP client alternatives we should consider? > > - Are there others willing to contribute to addressing CVE-2024-53990 in > > Pulsar? > > > > Best regards, > > > > Lari > > > > 1 - GitHub advisory for CVE-2024-53990: > > https://github.com/advisories/GHSA-mfj5-cf8g-g2fv > > 2 - https://github.com/apache/pulsar/pull/23725 > > 3 - > > https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2541330573 > > 4 - https://projectreactor.io/docs/netty/snapshot/reference/http-client.html > > 5 - https://github.com/reactor/reactor-netty > > >
