Shaded Guava 20.0 dependency vulnerable to CVE-2018-10237

[wrprice]

Expected behavior

Bundled (shaded) dependencies should not have any known security defects. Specifically, the shaded Guava library should be at least version 24.1.1 or 25.0, or newer.

Actual behavior

Guava 11.0 through 24.1 (inclusive) contain two classes that, if exploited via Java and/or GWT Serialization, can lead to unbounded memory allocation. This vulnerability is covered by CVE-2018-10237.

The master branch of ApplicationInsights Java library still depends on Guava 20.0 and shades within the published applicationinsights-core JAR. (I have not checked other JARs from this library.) This version of Guava has been included since at least version 2.1.2 of this library, and likely earlier versions.

[dhaval24]

@wrprice thanks for creating this issue. @littleaj lets prioritize this.

[dhaval24]

The issue with moving to guava 24 or higher is that it doesn't support Java 7. In this case only possible thing is to get rid of this dependency alltogether unless there is an alternative.

[wrprice]

If you're certain you don't use the two specific classes affected by the CVE, you could exclude them from the shading. That would remove the ability to exploit via this library, though this library may still show up in scans by the OWASP dependency check tool, for example. In that case, posting a known-issue would help clarify to users that (after excluding the classes) it's a false-positive.

Edited to add: removing entirely would probably be preferable

[littleaj]

@wrprice The current plan is to remove the dependnecy. It's only for convienience and has caused some other issues for us before. IMO, the best course of action is to remove it.

[wrprice]

@littleaj not trying to be a pest, and I appreciate the swiftness of the code change so far, but do you have an ETA for releasing 2.3.1 with this fix?

[littleaj]

@wrprice not a problem. The release is planned for this week.