Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CVE-2023-43804 - Python urllib3 #27661

Closed
Rick-Ernsting opened this issue Oct 24, 2023 · 14 comments
Closed

CDK custom resource CustomCDKBucketDeployment: SecurityHub HIGH notification: CVE-2023-43804 - Python urllib3 #27661

Rick-Ernsting opened this issue Oct 24, 2023 · 14 comments
Assignees
@vinayak-kukreja
Labels
dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. language/python Related to Python bindings third-party This issue is related to third-party libraries or applications.

Comments

@Rick-Ernsting
Copy link

Rick-Ernsting commented Oct 24, 2023
edited by mrgrain
Loading

Describe the bug

In SecurityHub we get a HIGH severity notification "CVE-2023-43804 - urllib3" with message:

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

We get this notification when the CDK custom resource CustomCDKBucketDeployment is deployed by CDK. Can you update urllib3 to a version which is not vulnerable?

Expected Behavior

That we get no SecurityHub notification

Reproduction Steps

When we deploy this:

const elevatedPrivilegesTrail = new Trail(this, 'ElevatedPrivilegesTrail', {
      trailName: props.envContext.elevatedPrivilegesTrailName,
      bucket: elevatedPrivilegesTrailBucket,
      encryptionKey: elevatedPrivilegesTrailKey,
      sendToCloudWatchLogs: true,
      cloudWatchLogGroup: new LogGroup(this, 'ElevatedPrivilegesTrailLogGroup', {
        logGroupName: 'LZElevatedPrivilegesTrail',
        retention: RetentionDays.SIX_MONTHS,
      }),
    })
    elevatedPrivilegesTrail.addEventSelector(
      DataResourceType.LAMBDA_FUNCTION,
      [invokeElevatedPrivilegesFn.functionArn],
      { includeManagementEvents: false },
    )

We then see the SecurityHub HIGH notification: CVE-2023-43804 - Python urllib3

Possible Solution

Upgrade Python urllib library

Additional Information/Context

No response

CDK CLI Version

2.96.2

Framework Version

No response

Node.js Version

18.16.0

OS

Windows

Language

TypeScript, Python

Language Version

TypeScript 5.1.3

Other information

No response
@Rick-Ernsting Rick-Ernsting added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 24, 2023
@github-actions github-actions bot added the @aws-cdk/aws-securityhub Related to AWS Security Hub label Oct 24, 2023
@indrora indrora added SECURITY language/python Related to Python bindings third-party This issue is related to third-party libraries or applications. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. @aws-cdk/aws-securityhub Related to AWS Security Hub labels Oct 24, 2023
@indrora
Copy link
Contributor

indrora commented Oct 24, 2023

@aws/aws-cdk-maintainers

@vinayak-kukreja vinayak-kukreja self-assigned this Oct 26, 2023
@vinayak-kukreja
Copy link
Contributor

Taking a look into replicating this issue.

@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
@netvolart
Copy link

I have the same problem. Critical security report for a bunch of Custom Resources.
CVE-2023-45803 - urllib3
CVE-2023-43804 - urllib3

Recommended mitigation by AWS inspector:
Update urllib3 to 2.0.7

@vinayak-kukreja
Copy link
Contributor

Critical security report for a bunch of Custom Resources

Hey @volkovartem , could you please tell us which resources are you seeing these for? Also what cdk version are you using right now?

@vinayak-kukreja
Copy link
Contributor

Hey @Rick-Ernsting , I tried replicating with the code you mentioned but that does not create CustomCDKBucketDeployment. Could you please provide some reproduction steps?

And could you also share what your security hub setup looks like? Is there any integrations that are adding to the findings?

  • Reason I ask is that to replicate CustomCDKBucketDeployment, I am deploying, 
         const websiteBucket = new Bucket(this, 'Test-WebsiteBucket', {
       websiteIndexDocument: 'index.html',
       publicReadAccess: false,
     });
 
     new BucketDeployment(this, 'Test-DeployWebsite', {
       sources: [Source.asset('./website-dist')],
       destinationBucket: websiteBucket,
       destinationKeyPrefix: 'web/static',
     });
    and this right now is not showing a urllib3 finding.

@vinayak-kukreja
Copy link
Contributor

Can confirm, I see CVE-2023-43804 - urllib3 using aws-s3-deployment in Amazon Inspector. Investigating more.

@vinayak-kukreja vinayak-kukreja mentioned this issue Nov 7, 2023
Merged
mergify bot pushed a commit that referenced this issue Nov 8, 2023
@vinayak-kukreja
chore: bump @aws-cdk/asset-awscli-v1 version (#27881)
610d9ac 
I released a newer version of this library but it has not made to the cdk repo yet. Upgrading this could help with resolving a security issue: #27661


Needed to run multiple integ tests for this and got warnings similar to following:
```
Stack: test-bucket-deployment-deployed-bucket - Resource: DeployMe5AwsCliLayerF0F79631 - Impact: WILL_REPLACE
!!! If these destructive changes are necessary, please indicate this on the PR !!!
Failed: /Users/vinakuk/Desktop/Work/Repositories/CDK/Ops/Security-Issue/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-signcontent.js
!!! This test contains destructive changes !!!
```

I believe this is expected since the version of the library is changing. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@vinayak-kukreja
Copy link
Contributor

Hey, we have merged in the update. It would make it into the next cdk release 2.106.0.

Keeping this issue open to confirm if that release resolves the issue for you.

@vinayak-kukreja vinayak-kukreja added the in-progress This issue is being actively worked on. label Nov 8, 2023
@Rick-Ernsting
Copy link
Author

Hello Vinayak,
Thank you.
Cheers, Rick

@netvolart
Copy link

Thank you, guys!

@vinayak-kukreja
Copy link
Contributor

Hey apologies, there was an issue after merging this in the pipeline. I am actively looking into it and will update here with the progress.

@vinayak-kukreja
Copy link
Contributor

Hey, thank you for your patience. :)

We have released it as part of our most recent update: https://github.com/aws/aws-cdk/releases/tag/v2.106.0. Please let me know if you still see a security hub notification after updating to this version.

@vinayak-kukreja vinayak-kukreja removed the in-progress This issue is being actively worked on. label Nov 10, 2023
mikewrighton pushed a commit that referenced this issue Nov 13, 2023
@vinayak-kukreja
chore: bump @aws-cdk/asset-awscli-v1 version (#27881)
b9c847c 
I released a newer version of this library but it has not made to the cdk repo yet. Upgrading this could help with resolving a security issue: #27661


Needed to run multiple integ tests for this and got warnings similar to following:
```
Stack: test-bucket-deployment-deployed-bucket - Resource: DeployMe5AwsCliLayerF0F79631 - Impact: WILL_REPLACE
!!! If these destructive changes are necessary, please indicate this on the PR !!!
Failed: /Users/vinakuk/Desktop/Work/Repositories/CDK/Ops/Security-Issue/aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-signcontent.js
!!! This test contains destructive changes !!!
```

I believe this is expected since the version of the library is changing. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@Rick-Ernsting
Copy link
Author

Hello Vinayak. Thank you for the update. I see that the urllib3 library is updated to a version which doesn't contain the CVE-2023-43804 problem. I updated and deployed my stacks and saw that the security hub/inspector notification disappeared.
Thank you for your support.
Cheers! Rick

@Rick-Ernsting
Copy link
Author

Closed

@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinayak-kukreja vinayak-kukreja

Labels
dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. language/python Related to Python bindings third-party This issue is related to third-party libraries or applications.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@indrora @netvolart @vinayak-kukreja @Rick-Ernsting and others