PRISMA-2021-0055 vulnerability in latest ibm-cos-java-sdk-bundle-2.9.1.jar

[tcherel]

We are getting a vulnerability report on ibm-cos-java-sdk-bundle-2.9.1.jar about the shaded commons-codec 1.11 dependency that should be upgraded to 1.13 or higher.
I am not able to find much details about what PRISMA-2021-0055 is.
Is it possible to schedule an update of commons-codec to 1.13 or to the latest version so it is current?
Thanks.

[IBMeric]

Could you provide more details on the vulnerability report? Could that number be a tool-specific reference?

There is an upstream issue on this topic: aws/aws-sdk-java#125. The only reference to commons-codec is the main pom.xml. No version is listed, so there is nothing to update. We already updated HttpClient to 4.5.13 (the latest) as part of our recent release.

[tcherel]

Thanks @IBMeric
Yes, it is a tool specific reference and I am still trying to get the details from the vendor.
But I suspect that this is related to the known commons-codec 1.11 vulnerability described here: https://issues.apache.org/jira/browse/HTTPCLIENT-2072

ibm-cos-java-sdk-bundle-2.9.1.jar contains the META-INF/maven/commons-codec/commons-codec/pom.xml file which makes an explicit reference to commons-codec 1.11
I believe that this jar file contains its own copy of commons-codec 1.11 (shaded dependency) which is why the scanning tool is raising this issue.

[tcherel]

@IBMeric any update about this?
The latest main pom.xml for aws-sdk-java is defining an explicit codec version to be be 1.15, see https://github.com/aws/aws-sdk-java/blob/master/pom.xml#L342
I am not clear as why ibm-cos-sdk is still referencing coded 1.11
Thanks.

[IBMeric]

Thanks for the link. That change was made after this ticket was opened. We can include it in our next release. Do you know if this will satisfy your scanner?

[tcherel]

@IBMeric yes, I am confident that it will.
Even if we did not manage to find a lot of details about PRISMA-2021-0055, the scanner explicitly says that the issue is fixed in commons-codec 1.13 or higher.
We have other packages that are using commons-codec 1.13, 1.14 or 1.15 and none of them are flagged by the scanner.
Do you have an ETA (even a rough one) for the next release where this could be fixed?

[IBMeric]

Sorry for the late reply. The work is scheduled but I haven't been able to get a release commitment internally yet. I will bring this up again today.

[tcherel]

Thanks @IBMeric
Any (good) news?

[IBMeric]

We have confirmed the fix and will put it in the next bug fix release. There is another fix in the works, so the plan is to release both together.

[tcherel]

Thanks @IBMeric
Do you have an ETA (even a rough one) for the next bug fix release?

[jackson-chris]

Any ETA on this fix?

[IBMeric]

The release will either be this week or early next week.

[IBMeric]

@tcherel We have published 2.10.1. Could you verify your issue has been resolved and close this ticket?

[tcherel]

Thanks @IBMeric
I confirm that 2.10.1 is fixing the security scan issue.
Closing.