2.0.2 code repackaging needed to update dependancies without vuln.

[emorneau]

aws-msk-iam-auth-2.0.2-all.jar is causing the following:

Issues to fix by upgrading:
Upgrade software.amazon.awssdk:auth@2.20.121 to software.amazon.awssdk:auth@2.20.162 to fix
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-5953332] in io.netty:netty-codec-http2@4.1.94.Final
introduced by software.amazon.awssdk:auth@2.20.121 > io.netty:netty-codec-http2@4.1.94.Final
✗ Allocation of Resources Without Limits or Throttling (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-SOFTWAREAMAZONION-6153869] in software.amazon.ion:ion-java@1.0.2
introduced by software.amazon.awssdk:auth@2.20.121 > software.amazon.ion:ion-java@1.0.2

[emorneau]

Locally fixed by changing build.gradle with "implementation('software.amazon.awssdk:auth:2.20.162')"
For others (remove txt file):
aws-msk-iam-auth-2.0.3-all.jar.txt

[emorneau]

replace above file with this one: aws-msk-iam-auth-2.0.3-all.jar.txt

[emorneau]

build.grade changes.

1. Added the following lines
   // to remove three line below when the ion-java update is provided across aws-java-sdk* libs
   configurations.implementation {
   exclude group: 'software.amazon.ion', module: 'ion-java'
   }

2. extra "dependencies" lines:
   implementation('io.netty:netty-codec-http2:4.1.100.Final')
   implementation(files('libs/ion-java-1.10.5.jar'))

[hhkkxxx133]

Thanks for reporting this to us! We have upgraded AWS SDK version and release the new version 2.0.3.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.