Hi everyone,

I wanted to bring up the recent critical severity vulnerability
(CVE-2024-53990 [1]) discovered in AsyncHttpClient versions <3.0.1,
which affects our current dependency on AsyncHttpClient 2.12.x in the
Pulsar Java client and Admin client.

In standard use cases, Pulsar doesn't use cookies, so the
AsyncHttpClient CookieStore is not used. Therefore, this vulnerability
is not directly applicable to Pulsar.
Although this is our current understanding, I have created PR #23725
[2] that implements an immediate mitigation by disabling the
CookieStore for our uses of AsyncHttpClient. Since Pulsar doesn't use
cookies, this is a feasible mitigation to declare that CVE-2024-53990
doesn't apply to Pulsar. While disabling the CookieStore mitigates the
actual vulnerability, many organizations have security policies that
require complete elimination of dependencies with critical
vulnerabilities. The current mitigation approach (null CookieStore)
may not satisfy these compliance requirements.

However, we face a significant challenge: AsyncHttpClient 3.0.1 (the
fixed version) requires Java 11+, while the Pulsar Java client and
Admin client must maintain Java 8 compatibility.
AsyncHttpClient 2.12.x is not maintained, and I'm not aware of plans
to address CVE-2024-53990 in AHC 2.12.x. I've reached out to AHC
maintainers [3] to explore the possibility of backporting the fix to
the 2.12.x branch to maintain Java 8 support, as this would be our
ideal solution.

Since it's unlikely that AHC will backport the fix to 2.12.x and make
a release with a quick schedule, we need to consider migrating to
alternative HTTP clients or raising the minimum Java version
requirement for the Pulsar Java client and Admin client from Java 8 to
Java 11+.
Initial research suggests Reactor Netty's HttpClient [4][5] as a
potential candidate for replacing AsyncHttpClient in Pulsar, as it is
Netty-based, supports Java 8, and is actively maintained.

I would appreciate the community's thoughts on:
- Which approach seems most viable?
- Are there other HTTP client alternatives we should consider?
- Are there others willing to contribute to addressing CVE-2024-53990 in Pulsar?

Best regards,

Lari

1 - GitHub advisory for CVE-2024-53990:
https://github.com/advisories/GHSA-mfj5-cf8g-g2fv
2 - https://github.com/apache/pulsar/pull/23725
3 - 
https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2541330573
4 - https://projectreactor.io/docs/netty/snapshot/reference/http-client.html
5 - https://github.com/reactor/reactor-netty

Reply via email to