Usage of Vulnerable Apache HttpCore Dependency Jar - Security Concern
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2024 11:11 PM
Hi Team,
Upon reviewing the Maven Repository, we have observed that the latest version of Apache HttpCore (4.4.16) is flagged as vulnerable and EOL due to dependencies (https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16), and the artifact has been relocated to org.apache.httpcomponents.core5 » httpcore5. Similarly, Apache HttpClient (version - 4.5.14 >> 5.4.x) has undergone a similar transition.
Apache HttpClient serves as both a direct and indirect dependency for below mentioned jars, that we (MDM) use for Android Enterprise Management. However, we have identified that several jars listed below continue to utilize the older version of Apache HttpClient (4.5.14), which is marked as vulnerable and EOL, despite the availability of the latest version (5.4.x).
This persistence poses a significant security risk for us and our customers using Android Enterprise via our product. |
Could you please provide guidance on how best to address this issue?
Are there any alternate jars available, that we can use to achieve the below mentioned functionalities?
S.No | Artifact Id | Latest Available Version | Direct or Indirect Dependancy of vulnerable jars | Usage in Product | |
1 | google-api-client | Direct dependancy - HttpClient | 1. GoogleJSONResponseException - To show relevant error message for this exception | ||
2 | google-http-client-apache-v2 | Direct dependancy - HttpClient | 1.ApacheHttpTransport (v2) --> To build httpTransport. It has wide variety of options to configure connection | ||
3 | google-oauth-client | Not directly dependant. Depends on google-http-client > httpclient | - To handle exception accordingly in our product | ||
4 | google-api-services-androidmanagement | Not directly dependant. Depends on google-api-client > httpclient | Android Management API (To manage via Android Device Policy DPC) | ||
5 | google-api-services-admin-directory |
| Directory API | ||
6 | chromepolicyapi.jar | -- | Not directly dependant. Depends on google-api-client > httpclient | ChromeOS Management |
- Labels:
-
Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2024 02:18 AM
Hello @sharmilashree,
Great to meet you and welcome to the Android Enterprise Customer Community.
I see you mention you are a partner, I wonder do you have access to the Android Enterprise Partner Portal? If so, I would recommend posting this there and the Partner team will be able to troubleshoot this with you.
If you have any questions on this, just let me know.
Thanks so much,
Lizzie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2024 05:22 AM
Sure @Lizzie , Thanks !