Logstash information:
Please include the following information:
Using Logstash v7.17.6 and Kinesis input plugin v2.2.1. The plugin is installed via gradle
dependencies {
gem (name: "logstash-input-kinesis", version: "2.2.1", classifier: "java", ext: "gem")
}
Issue:
The latest version of the Kinesis input plugin is not Fedramp compliant and shows a handful of 3rd party vulnerabilities. Running JFrog XRay scanning tool, it looks like the vulnerabilities are brought in by the plugin using the older version of AWS SDK. Can we get that library updated? I've already opened a related PR ---> #93
The following jars and vulnerabilities are brought in by the AWS SDK library. These vulnerabilities are seen when running JFrog XRay scanning tool. There are quite a few CVEs associated with each library but listing just one.
CVE-2020-9548
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/fasterxml/jackson/core/jackson-core/2.6.7/jackson-core-2.6.7.jar
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/fasterxml/jackson/core/jackson-databind/2.6.7.4/jackson-databind-2.6.7.4.jar
CVE-2020-8908
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/google/guava/guava/26.0-jre/guava-26.0-jre.jar
CVE-2021-22569
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/google/protobuf/protobuf-java/2.6.1/protobuf-java-2.6.1.jar
Logstash information:
Please include the following information:
Using Logstash v7.17.6 and Kinesis input plugin v2.2.1. The plugin is installed via gradle
Issue:
The latest version of the Kinesis input plugin is not Fedramp compliant and shows a handful of 3rd party vulnerabilities. Running JFrog XRay scanning tool, it looks like the vulnerabilities are brought in by the plugin using the older version of AWS SDK. Can we get that library updated? I've already opened a related PR ---> #93
The following jars and vulnerabilities are brought in by the AWS SDK library. These vulnerabilities are seen when running JFrog XRay scanning tool. There are quite a few CVEs associated with each library but listing just one.
CVE-2020-9548
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/fasterxml/jackson/core/jackson-core/2.6.7/jackson-core-2.6.7.jar
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/fasterxml/jackson/core/jackson-databind/2.6.7.4/jackson-databind-2.6.7.4.jar
CVE-2020-8908
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/google/guava/guava/26.0-jre/guava-26.0-jre.jar
CVE-2021-22569
logstash-input-kinesis-2.2.1-java.gem/data.tar.gz/vendor/jar-dependencies/runtime-jars/com/google/protobuf/protobuf-java/2.6.1/protobuf-java-2.6.1.jar