It looks like a AHC 2.12.x release is planned with the fix: https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2543985990
-Lari On 2024/12/13 13:18:56 Lari Hotari wrote: > Hi everyone, > > I wanted to bring up the recent critical severity vulnerability > (CVE-2024-53990 [1]) discovered in AsyncHttpClient versions <3.0.1, > which affects our current dependency on AsyncHttpClient 2.12.x in the > Pulsar Java client and Admin client. > > In standard use cases, Pulsar doesn't use cookies, so the > AsyncHttpClient CookieStore is not used. Therefore, this vulnerability > is not directly applicable to Pulsar. > Although this is our current understanding, I have created PR #23725 > [2] that implements an immediate mitigation by disabling the > CookieStore for our uses of AsyncHttpClient. Since Pulsar doesn't use > cookies, this is a feasible mitigation to declare that CVE-2024-53990 > doesn't apply to Pulsar. While disabling the CookieStore mitigates the > actual vulnerability, many organizations have security policies that > require complete elimination of dependencies with critical > vulnerabilities. The current mitigation approach (null CookieStore) > may not satisfy these compliance requirements. > > However, we face a significant challenge: AsyncHttpClient 3.0.1 (the > fixed version) requires Java 11+, while the Pulsar Java client and > Admin client must maintain Java 8 compatibility. > AsyncHttpClient 2.12.x is not maintained, and I'm not aware of plans > to address CVE-2024-53990 in AHC 2.12.x. I've reached out to AHC > maintainers [3] to explore the possibility of backporting the fix to > the 2.12.x branch to maintain Java 8 support, as this would be our > ideal solution. > > Since it's unlikely that AHC will backport the fix to 2.12.x and make > a release with a quick schedule, we need to consider migrating to > alternative HTTP clients or raising the minimum Java version > requirement for the Pulsar Java client and Admin client from Java 8 to > Java 11+. > Initial research suggests Reactor Netty's HttpClient [4][5] as a > potential candidate for replacing AsyncHttpClient in Pulsar, as it is > Netty-based, supports Java 8, and is actively maintained. > > I would appreciate the community's thoughts on: > - Which approach seems most viable? > - Are there other HTTP client alternatives we should consider? > - Are there others willing to contribute to addressing CVE-2024-53990 in > Pulsar? > > Best regards, > > Lari > > 1 - GitHub advisory for CVE-2024-53990: > https://github.com/advisories/GHSA-mfj5-cf8g-g2fv > 2 - https://github.com/apache/pulsar/pull/23725 > 3 - > https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2541330573 > 4 - https://projectreactor.io/docs/netty/snapshot/reference/http-client.html > 5 - https://github.com/reactor/reactor-netty >