Vulnerable dependencies due to fabric-sdk-java static

[benjsmi]

NB: Please note that this issue is in progress and will be updated.

I have decided to amalgamate these all into one list to make things easier for the Hyperledger Fabric team. @denyeart explained that JARs/dependencies with known vulnerabilities are OK to report via GitHub issue. So here we go.

Name	Found in Code	CVEs	Due Date	Status
commons-compress-1.18.jar	Transitive dependency from fabric-sdk-java:1.4.4 in fabric-chaincode-integration-test, which is imported here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . That version of fabric-sdk-java imports commons-compress v1.18: https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L134	https://nvd.nist.gov/vuln/detail/CVE-2021-35515, https://nvd.nist.gov/vuln/detail/CVE-2021-35516, https://nvd.nist.gov/vuln/detail/CVE-2021-36090, https://nvd.nist.gov/vuln/detail/CVE-2021-35517, https://nvd.nist.gov/vuln/detail/CVE-2019-12402	Aug 21, 2023	Addressed by #309
commons-io-2.6.jar	Transitive dependency from fabric-sdk-java:1.4.4, which is imported here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . That version of fabric-sdk-java imports commons-compress v2.6: https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L139	https://nvd.nist.gov/vuln/detail/CVE-2021-29425	Aug 21, 2023	Addressed by #309
gson-2.7.jar	fabric-chaincode-integration-test imports fabric-sdk-java v1.4.4: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . fabric-sdk-java imports grpc-stub: https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L90. Version v1.17.1 is declared here: https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L31, grpc-stub v1.17.1 imports grpc-core v1.17.1 as shown here: https://mvnrepository.com/artifact/io.grpc/grpc-stub/1.17.1. grpc-core v1.17.1 imports gson v2.7 as shown here: https://mvnrepository.com/artifact/io.grpc/grpc-core/1.17.1	https://nvd.nist.gov/vuln/detail/CVE-2022-25647	Aug 21, 2023	Addressed by #309
httpclient-4.5.6.jar	Transitive dependency from fabric-sdk-java:1.4.4, which is imported here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . That version of fabric-sdk-java imports httpclient v4.5.6 directly as shown in https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L34	https://nvd.nist.gov/vuln/detail/CVE-2020-13956	Oct 20, 2023	Addressed by #309
log4j-1.2.17.jar	fabric-chaincode-integration-test includes fabric-sdk-java at v1.4.4 here fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . fabric-sdk-java v1.4.4 imports log4j v1.2.17 directly at https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L39C3-L39C3	https://nvd.nist.gov/vuln/detail/CVE-2022-23307, https://nvd.nist.gov/vuln/detail/CVE-2023-26464, https://nvd.nist.gov/vuln/detail/CVE-2022-23302, https://nvd.nist.gov/vuln/detail/CVE-2020-9493, https://nvd.nist.gov/vuln/detail/CVE-2020-9488, etc	Aug 21, 2023	Addressed by #309
netty-codec-4.1.32.Final.jar	Multilayered transitive dependency. fabric-chaincode-integration-test imports fabric-sdk-java fixed at version v1.4.4 here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . fabric-sdk-java imports io.grpc.grpc-netty v1.17.1 at https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L31 (and https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L80). io.grpc.grpc-netty imports netty-handler-proxy-4.1.30.Final as shown in https://mvnrepository.com/artifact/io.grpc/grpc-netty/1.17.1. netty-handler-proxy v4.1.30.Final includes a whole boatload of vulnerabilities as seen at https://mvnrepository.com/artifact/io.netty/netty-handler-proxy/4.1.30.Final, and which also includes netty-codec-http v4.1.30.Final. netty-codec-http v4.1.30.Final includes netty-codec v4.1.32, which is vulnerable as shown in https://mvnrepository.com/artifact/io.netty/netty-codec-http/4.1.30.Final.	https://nvd.nist.gov/vuln/detail/CVE-2020-11612, https://nvd.nist.gov/vuln/detail/CVE-2021-37136, https://nvd.nist.gov/vuln/detail/CVE-2021-37137	Aug 21, 2023	Addressed by #309
netty-codec-http-4.1.32.Final.jar, netty-codec-http2-4.1.32.Final.jar	Multilayered transitive dependency. fabric-chaincode-integration-test imports fabric-sdk-java fixed at version v1.4.4 here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . fabric-sdk-java imports io.grpc.grpc-netty v1.17.1 at https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L31 (and https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L80). io.grpc.grpc-netty imports netty-codec-http2 at v4.1.30.Final as shown here https://mvnrepository.com/artifact/io.grpc/grpc-netty/1.17.1.	https://nvd.nist.gov/vuln/detail/cve-2021-21295, https://nvd.nist.gov/vuln/detail/CVE-2019-9512, https://nvd.nist.gov/vuln/detail/CVE-2019-9514, https://nvd.nist.gov/vuln/detail/CVE-2021-21409, https://nvd.nist.gov/vuln/detail/CVE-2019-9515, , https://nvd.nist.gov/vuln/detail/CVE-2019-9518	Aug 21, 2023	Addressed by #309
netty-handler-4.1.32.Final.jar	Multilayered transitive dependency. fabric-chaincode-integration-test imports fabric-sdk-java fixed at version v1.4.4 here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . fabric-sdk-java imports io.netty.netty-codec-http2 at v4.1.32.Final. netty-codec-http2 imports io.netty.netty-handler at v4.1.32.Final as shown here https://mvnrepository.com/artifact/io.netty/netty-codec-http2/4.1.32.Final	https://nvd.nist.gov/vuln/detail/CVE-2023-34462, https://nvd.nist.gov/vuln/detail/CVE-2021-21290	Aug 21, 2023	Addressed by #309
snakeyaml-1.23.jar	fabric-chaincode-integration-test includes fabric-sdk-java at v1.4.4 here fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . fabric-sdk-java v1.4.4 imports snakeyaml v1.23 directly at https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L204-L208	https://nvd.nist.gov/vuln/detail/CVE-2022-38749, https://nvd.nist.gov/vuln/detail/CVE-2022-41854, https://nvd.nist.gov/vuln/detail/CVE-2022-25857, https://nvd.nist.gov/vuln/detail/CVE-2022-38751, https://nvd.nist.gov/vuln/detail/CVE-2022-38752, https://nvd.nist.gov/vuln/detail/CVE-2022-38750, https://nvd.nist.gov/vuln/detail/CVE-2022-1471, https://nvd.nist.gov/vuln/detail/CVE-2017-18640	Aug 21, 2023	Addressed by #309

[denyeart]

@bestbeforetoday Both PRs have been merged. Can this be closed now?

[benjsmi]

Can't be closed yet; I'm still tracing/tracking. I promise I will close once I have gotten everything squared away.

[benjsmi]

I reduced this to just the dependencies that were resulting from being dependent on a backlevel version of fabric-sdk-java, which has been addressed in #309. Therefore, we can now close this issue.

[benjsmi]

Found another one:

Name	Found in Code	CVEs	Due Date	Status
protobuf-java-3.6.1.jar	Transitive dependency from fabric-sdk-java:1.4.4 in fabric-chaincode-integration-test, which is imported here: fabric-chaincode-java/fabric-chaincode-integration-test/build.gradle Line 3 in 40126d0 testImplementation 'org.hyperledger.fabric-sdk-java:fabric-sdk-java:1.4.4' . That version of fabric-sdk-java imports protobuf-java https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L103-L113 at v3.6.1 (https://github.com/hyperledger/fabric-sdk-java/blob/v1.4.4/pom.xml#L32) and also imports protobuf-java-util.	https://nvd.nist.gov/vuln/detail/CVE-2022-3509, https://nvd.nist.gov/vuln/detail/CVE-2022-3510, https://nvd.nist.gov/vuln/detail/CVE-2022-3171	Aug 21, 2023	Addressed by #309 ✅

[bestbeforetoday]

There still needs to be an update to grpc-java v1.57 when it is released to address a vulnerability in guava. There might be a vulnerability related to OpenTelemetry too. I hit an issue trying to update to even the current gRPC versions, which broke the integration tests. I haven't yet had a chance to investigate why. I hope the gRPC and OpenTelemetry versions are not too tightly coupled as updating OpenTelemetry involves API changes and is harder.

There is also a potential issue with fabric-protos dependencies. PR hyperledger/fabric-protos#187 goes some way to addressing that but it ideally should also be updated to gRPC v1.57 when it is released, and then a new version of fabric-protos published that fabric-chaincode-shim and fabric-gateway can pull in.