Usage of Vulnerable Apache HttpCore Dependency Jar - Security Concern

sharmilashree
Level 1.5: Cupcake

‎02-15-2024 11:11 PM

Hi Team,
Upon reviewing the Maven Repository, we have observed that the latest version of Apache HttpCore (4.4.16) is flagged as vulnerable and EOL due to dependencies (https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16), and the artifact has been relocated to org.apache.httpcomponents.core5 » httpcore5. Similarly, Apache HttpClient (version - 4.5.14 >> 5.4.x) has undergone a similar transition.

Apache HttpClient serves as both a direct and indirect dependency for below mentioned jars, that we (MDM) use for  Android Enterprise Management. However, we have identified that several jars listed below continue to utilize the older version of Apache HttpClient (4.5.14), which is marked as vulnerable and EOL, despite the availability of the latest version (5.4.x). 

This persistence poses a significant security risk for us and our customers using Android Enterprise via our product.


Could you please provide guidance on how best to address this issue?

Are there any alternate jars available, that we can use to achieve the below mentioned functionalities?

 
S.No
Artifact Id
Latest Available Version
Direct or Indirect Dependancy of vulnerable jars
Usage in Product
1
google-api-client
Direct dependancy - HttpClient  
1. GoogleJSONResponseException - To show relevant error message for this exception
 
2. BatchRequest (suggested - here)
 
2
google-http-client-apache-v2
Direct dependancy - HttpClient 
1.ApacheHttpTransport (v2) --> To build httpTransport. It has wide variety of options to configure connection
 
3
google-oauth-client
Not directly dependant.
Depends on google-http-client > httpclient
 
- To handle exception accordingly in our product
4
google-api-services-androidmanagement
Not directly dependant.
Depends on google-api-client > httpclient
Android Management API (To manage via Android Device Policy DPC)
5
google-api-services-admin-directory
Not directly dependant.
Depends on google-api-client > httpclient
Directory API
6
chromepolicyapi.jar
--
Not directly dependant.
 
Depends on google-api-client > httpclient
 
ChromeOS Management

 

 

Labels:
0 Kudos
2 REPLIES 2

Lizzie
Google Community Manager
Google Community Manager

‎02-16-2024 02:18 AM

Hello @sharmilashree,

 

Great to meet you and welcome to the Android Enterprise Customer Community. 

 

I see you mention you are a partner, I wonder do you have access to the Android Enterprise Partner Portal? If so, I would recommend posting this there and the Partner team will be able to troubleshoot this with you. 

 

If you have any questions on this, just let me know.

 

Thanks so much,

Lizzie


Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

0 Kudos

sharmilashree
Level 1.5: Cupcake
In response to Lizzie

‎02-16-2024 05:22 AM

Sure @Lizzie , Thanks !