Hi everyone, I wanted to bring up the recent critical severity vulnerability (CVE-2024-53990 [1]) discovered in AsyncHttpClient versions <3.0.1, which affects our current dependency on AsyncHttpClient 2.12.x in the Pulsar Java client and Admin client.
In standard use cases, Pulsar doesn't use cookies, so the AsyncHttpClient CookieStore is not used. Therefore, this vulnerability is not directly applicable to Pulsar. Although this is our current understanding, I have created PR #23725 [2] that implements an immediate mitigation by disabling the CookieStore for our uses of AsyncHttpClient. Since Pulsar doesn't use cookies, this is a feasible mitigation to declare that CVE-2024-53990 doesn't apply to Pulsar. While disabling the CookieStore mitigates the actual vulnerability, many organizations have security policies that require complete elimination of dependencies with critical vulnerabilities. The current mitigation approach (null CookieStore) may not satisfy these compliance requirements. However, we face a significant challenge: AsyncHttpClient 3.0.1 (the fixed version) requires Java 11+, while the Pulsar Java client and Admin client must maintain Java 8 compatibility. AsyncHttpClient 2.12.x is not maintained, and I'm not aware of plans to address CVE-2024-53990 in AHC 2.12.x. I've reached out to AHC maintainers [3] to explore the possibility of backporting the fix to the 2.12.x branch to maintain Java 8 support, as this would be our ideal solution. Since it's unlikely that AHC will backport the fix to 2.12.x and make a release with a quick schedule, we need to consider migrating to alternative HTTP clients or raising the minimum Java version requirement for the Pulsar Java client and Admin client from Java 8 to Java 11+. Initial research suggests Reactor Netty's HttpClient [4][5] as a potential candidate for replacing AsyncHttpClient in Pulsar, as it is Netty-based, supports Java 8, and is actively maintained. I would appreciate the community's thoughts on: - Which approach seems most viable? - Are there other HTTP client alternatives we should consider? - Are there others willing to contribute to addressing CVE-2024-53990 in Pulsar? Best regards, Lari 1 - GitHub advisory for CVE-2024-53990: https://github.com/advisories/GHSA-mfj5-cf8g-g2fv 2 - https://github.com/apache/pulsar/pull/23725 3 - https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2541330573 4 - https://projectreactor.io/docs/netty/snapshot/reference/http-client.html 5 - https://github.com/reactor/reactor-netty