[2.16] io.grpc:grpc-protobuf CVE-2023-1428 & CVE-2023-32731

[famod]

Describe the bug

trivy started to report these two issues (ranked as "HIGH") for my app which is still on 2.16(.8):

• https://access.redhat.com/security/cve/CVE-2023-1428 / https://nvd.nist.gov/vuln/detail/CVE-2023-1428
• https://access.redhat.com/security/cve/CVE-2023-32731 / https://nvd.nist.gov/vuln/detail/CVE-2023-32731

In my case this dependency seems to be coming from the OTEL OTLP export feature.
In this case Quarkus is a client (right?) so I'm under the impression that those are non-issues for me (would appreciate a confirmation here).
I suppose other use-cases of grpc-protobuf might in fact be vulnerable.

PS: main/3.x has moved far beyond the affected grpc version.
PPS: I haven't checked 2.13.

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

[famod]

/cc @sberyozkin @brunobat

[brunobat]

I did a mvn dependency:tree on the runtime of quarkus-opentelemetry under Quarkus 2.16.x.
This dependency seems to come from quarkus-grpc-common:

 +- io.quarkus:quarkus-grpc-common:jar:2.16.999-SNAPSHOT:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- io.vertx:vertx-grpc:jar:4.3.7:compile
[INFO] |  |  +- io.grpc:grpc-netty:jar:1.51.1:compile
[INFO] |  |  |  +- io.grpc:grpc-core:jar:1.51.1:compile
[INFO] |  |  |  |  \- com.google.code.gson:gson:jar:2.10:runtime
[INFO] |  |  |  \- io.perfmark:perfmark-api:jar:0.25.0:runtime
[INFO] |  |  +- io.grpc:grpc-protobuf:jar:1.51.1:compile
[INFO] |  |  |  +- com.google.protobuf:protobuf-java:jar:3.22.0:compile
[INFO] |  |  |  +- com.google.api.grpc:proto-google-common-protos:jar:2.11.0:compile
[INFO] |  |  |  \- io.grpc:grpc-protobuf-lite:jar:1.51.1:compile
[INFO] |  |  \- com.google.guava:guava:jar:31.1-jre:compile
[INFO] |  |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |     \- com.google.j2objc:j2objc-annotations:jar:1.3:compile

[brunobat]

cc @alesj

[famod]

FWIW, I had a brief look at the 1.52.0+ dependabot PRs for grpc that went into main and it looks like none of them required special adjustments.

[sberyozkin]

@cescoffier Hi Clement are you aware of these issues being possibly fixed with newer Vert.x releases in 3.x ? Though the dates of CVEs are very recent, may be not

[sberyozkin]

Latest OWASP report does not show these CVEs on main, so indeed looks like it affecting earlier Vert.x versions. I'm not sure relevant versions bumps can be done for 2.16 as it is usually sensitive. I'll let Clement decide

[cescoffier]

@sberyozkin Quarkus defines the version of these artifacts. So we can update even in 2.16.

[sberyozkin]

@cescoffier Can you please suggest backports for related PRs in the 3.x base ?

[gsmet]

That's not exactly true that we could apply all upgrade without changes: https://github.com/quarkusio/quarkus/pull/32140/files .

But we can update to 1.53.0 as a first step.

[cescoffier]

Yes, we cannot update blindly.
1.53 is a good tradeoff.

[gsmet]

The upgrade is part of #34895 .