It looks like a AHC 2.12.x release is planned with the fix: 
https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2543985990

-Lari

On 2024/12/13 13:18:56 Lari Hotari wrote:
> Hi everyone,
> 
> I wanted to bring up the recent critical severity vulnerability
> (CVE-2024-53990 [1]) discovered in AsyncHttpClient versions <3.0.1,
> which affects our current dependency on AsyncHttpClient 2.12.x in the
> Pulsar Java client and Admin client.
> 
> In standard use cases, Pulsar doesn't use cookies, so the
> AsyncHttpClient CookieStore is not used. Therefore, this vulnerability
> is not directly applicable to Pulsar.
> Although this is our current understanding, I have created PR #23725
> [2] that implements an immediate mitigation by disabling the
> CookieStore for our uses of AsyncHttpClient. Since Pulsar doesn't use
> cookies, this is a feasible mitigation to declare that CVE-2024-53990
> doesn't apply to Pulsar. While disabling the CookieStore mitigates the
> actual vulnerability, many organizations have security policies that
> require complete elimination of dependencies with critical
> vulnerabilities. The current mitigation approach (null CookieStore)
> may not satisfy these compliance requirements.
> 
> However, we face a significant challenge: AsyncHttpClient 3.0.1 (the
> fixed version) requires Java 11+, while the Pulsar Java client and
> Admin client must maintain Java 8 compatibility.
> AsyncHttpClient 2.12.x is not maintained, and I'm not aware of plans
> to address CVE-2024-53990 in AHC 2.12.x. I've reached out to AHC
> maintainers [3] to explore the possibility of backporting the fix to
> the 2.12.x branch to maintain Java 8 support, as this would be our
> ideal solution.
> 
> Since it's unlikely that AHC will backport the fix to 2.12.x and make
> a release with a quick schedule, we need to consider migrating to
> alternative HTTP clients or raising the minimum Java version
> requirement for the Pulsar Java client and Admin client from Java 8 to
> Java 11+.
> Initial research suggests Reactor Netty's HttpClient [4][5] as a
> potential candidate for replacing AsyncHttpClient in Pulsar, as it is
> Netty-based, supports Java 8, and is actively maintained.
> 
> I would appreciate the community's thoughts on:
> - Which approach seems most viable?
> - Are there other HTTP client alternatives we should consider?
> - Are there others willing to contribute to addressing CVE-2024-53990 in 
> Pulsar?
> 
> Best regards,
> 
> Lari
> 
> 1 - GitHub advisory for CVE-2024-53990:
> https://github.com/advisories/GHSA-mfj5-cf8g-g2fv
> 2 - https://github.com/apache/pulsar/pull/23725
> 3 - 
> https://github.com/AsyncHttpClient/async-http-client/pull/2033#issuecomment-2541330573
> 4 - https://projectreactor.io/docs/netty/snapshot/reference/http-client.html
> 5 - https://github.com/reactor/reactor-netty
> 

Reply via email to