CVE-2022-31684: Vulnerability issue with latest azure sdk binaries 1.4.1

[moyalshailendra]

Describe the bug
We have a springboot application which uses azure-identity jar of version 1.4.1 for the api rest calls towards the azure services.
azure-identity jar has the following sub dependencies as shown below,in which netty_reactor-netty-http jar is one of them with version 1.0.11.

Exception or Stack Trace
ERROR LOGS:
mcnp | worker1.cp4narcbuild70.cp.fyre.ibm.com | mcnp:cp4na-o-mcnp-65b4b59f78-2tkbc | 2022-11-30 10:01:20.913 ERROR 1 --- [nio-8444-exec-9] com.ibm.mcnp.gateway.j.a.b : Failed to list VNets: java.lang.NoSuchMethodError: reactor/core/publisher/MonoSink.contextView()Lreactor/util/context/ContextView; (loaded from jar
/data/mcnp-2.6.2-alpha-16.jar!/BOOT-INF/lib/reactor-core-3.4.10.jar!/ by org.springframework.boot.loader.LaunchedURLClassLoader@e7532b5f) called from class reactor.netty.http.client.HttpClientConnect$HttpObserver (loaded from jar
/data/mcnp-2.6.2-alpha-16.jar!/BOOT-INF/lib/reactor-netty-http-1.0.24.jar!/ by org.springframework.boot.loader.LaunchedURLClassLoader@e7532b5f).
java.util.concurrent.ExecutionException: java.lang.NoSuchMethodError: reactor/core/publisher/MonoSink.contextView()Lreactor/util/context/ContextView; (loaded from jar
/data/mcnp-2.6.2-alpha-16.jar!/BOOT-INF/lib/reactor-core-3.4.10.jar!/ by org.springframework.boot.loader.LaunchedURLClassLoader@e7532b5f) called from class reactor.netty.http.client.HttpClientConnect$HttpObserver (loaded from jar
/data/mcnp-2.6.2-alpha-16.jar!/BOOT-INF/lib/reactor-netty-http-1.0.24.jar!/ by org.springframework.boot.loader.LaunchedURLClassLoader@e7532b5f).
at java.base/java.util.concurrent.FutureTask.report(Unknown Source)

To Reproduce
Consume identity jar in any microservice and see the dependency tree.

Code Snippet
Add the code snippet that causes the issue.

Expected behavior
It should consume latest reactor-netty http jar version without vulnerability.

Screenshots
[INFO] +- com.azure:azure-identity:jar:1.4.1:compile
[INFO] | +- com.azure:azure-core-http-netty:jar:1.11.2:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.68.Final:compile
[INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.68.Final:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.68.Final:compile
[INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.1.68.Final:compile
[INFO] | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.77.Final:compile
[INFO] | | | \- io.netty:netty-transport-classes-kqueue:jar:4.1.77.Final:compile
[INFO] | | \- io.projectreactor.netty:reactor-netty-http:jar:1.0.11:compile
[INFO] | | +- io.netty:netty-resolver-dns:jar:4.1.77.Final:compile
[INFO] | | | \- io.netty:netty-codec-dns:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.77.Final:compile
[INFO] | | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.77.Final:compile
[INFO] | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.11:compile

Setup (please complete the following information):

• OS: [e.g. iOS] Openshift container platform
• IDE: [e.g. IntelliJ] Eclipse
• Library/Libraries: [e.g. com.azure:azure-core:1.16.0 (groupId:artifactId:version)] com.azure:azure-identity:jar:1.4.1
• Java version: [e.g. 8] Java 11
• App Server/Environment: [e.g. Tomcat, WildFly, Azure Function, Apache Spark, Databricks, IDE plugin or anything special] Tomcat
• Frameworks: [e.g. Spring Boot, Micronaut, Quarkus, etc] Spring boot

If you suspect a dependency version mismatch (e.g. you see NoClassDefFoundError, NoSuchMethodError or similar), please check out Troubleshoot dependency version conflict article first. If it doesn't provide solution for the problem, please provide:

• verbose dependency tree (mvn dependency:tree -Dverbose)
  [INFO] +- com.azure:azure-identity:jar:1.4.1:compile
  [INFO] | +- com.azure:azure-core-http-netty:jar:1.11.2:compile
  [INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.68.Final:compile
  [INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.77.Final:compile
  [INFO] | | +- io.netty:netty-buffer:jar:4.1.68.Final:compile
  [INFO] | | +- io.netty:netty-codec-http2:jar:4.1.68.Final:compile
  [INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.1.68.Final:compile
  [INFO] | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.77.Final:compile
  [INFO] | | +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.77.Final:compile
  [INFO] | | | \- io.netty:netty-transport-classes-kqueue:jar:4.1.77.Final:compile
  [INFO] | | \- io.projectreactor.netty:reactor-netty-http:jar:1.0.11:compile
  [INFO] | | +- io.netty:netty-resolver-dns:jar:4.1.77.Final:compile
  [INFO] | | | \- io.netty:netty-codec-dns:jar:4.1.77.Final:compile
  [INFO] | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.77.Final:compile
  [INFO] | | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.77.Final:compile
  [INFO] | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.11:compile
• exception message, full stack trace, and any available logs

Additional context
Since the netty_reactor-netty-http jar has been been reported as vulnerable and is recommended to use a higher version 1.0.24(PFA). But once the netty_reactor-netty-http jar is updated to 1.0.24 version, the azure functions breaks wih the below error(NoSuchMethodError),since the updated version of netty jar is incompatible with azure. Kindly help in resolving the incompatibility issue as we cannot move the netty jar to any lower versions.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Bug Description Added
• Repro Steps Added
• Setup information Added

[moyalshailendra]

@[email protected]
This is for your reference.

[alzimmermsft]

Thanks for filing this issue @moyalshailendra.

To start, we are going to be releasing new versions of the SDKs next month where the Reactor Netty CVE is resolved. Also, azure-identity 1.4.1 isn't the latest version available at this time, it is 1.7.2.

When you upgrade reactor-netty to 1.0.24 manually this error you're seeing is that Reactor Netty is using an API MonoSink.contextView which was added in reactor-core 3.4.17. The error is most likely happening due to an older version of Reactor Core being resolved given how old the Azure SDKs being used are in the Spring application, or by the Spring dependencies themselves.

The error should be resolvable by making sure that the latest versions of the Azure SDKs are being used and by ensuring Reactor Core 3.4.17 or later is being used (I don't recommend using Reactor Core 3.5.0 with the Azure SDKs yet as we have not upgraded to them ourselves, but the Azure SDKs try their best to not rely on APIs being removed by 3.5.x so they most likely will work with Reactor Core 3.5.x).

[Soorajskmr07]

Thanks for looking this up @alzimmermsft

I have tried updating the version for the azure identity jar with the latest version which is 1.7.2, but the dependent jar still takes the lower version of reactor-netty-http jar.
[INFO] +- com.azure:azure-identity:jar:1.7.2:compile
[INFO] | +- com.azure:azure-core-http-netty:jar:1.11.2:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.68.Final:compile
[INFO] | | | - io.netty:netty-codec-socks:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.68.Final:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.68.Final:compile
[INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.1.68.Final:compile
[INFO] | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.77.Final:compile
[INFO] | | | - io.netty:netty-transport-classes-kqueue:jar:4.1.77.Final:compile
[INFO] | | - io.projectreactor.netty:reactor-netty-http:jar:1.0.11:compile

Also, when the Azure SDK was updated to the latest version of 1.2.8, the the dependent azure identity and the reactor-core-http were updated through the azure sdk upgrade, but reactor-core-http falls in vulnerable version which is 1.0.23.
.

[INFO] +- com.azure:azure-identity:jar:1.7.0:compile
[INFO] | +- com.azure:azure-core-http-netty:jar:1.12.7:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.77.Final:compile
[INFO] | | | - io.netty:netty-codec-socks:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.77.Final:compile
[INFO] | | | - io.netty:netty-transport-classes-kqueue:jar:4.1.77.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.39.Final:compile
[INFO] | | - io.projectreactor.netty:reactor-netty-http:jar:1.0.23:compile

[alzimmermsft]

Thanks for the update @Soorajskmr07.

For the first case you gave where updating the azure-identity version resulted in old versions of Netty still being used, do you have a dependency on a another where they're using different versions of Netty? Reason I ask as the dependency resolution appears to have conflicts where a dependency listed earlier is resolving those specific versions of Netty.

This then leads to the second part where you're using azure-sdk-bom 1.2.8 and the dependencies are resolving to the latest versions used by the Azure SDKs as the azure-sdk-bom decides which transitive versions are resolved. This will be fixed with Reactor Netty 1.0.24 in January, but in the mean time you should be able to use azure-sdk-bom 1.2.8 and directly use Reactor Netty 1.0.24 to override the version of Reactor Netty being used to one without a CVE associated with it.

[alzimmermsft]

A new release of azure-identity 1.7.3 happened which depends on versions of Reactor Netty and Netty that don't have this CVE.