vulnerability warning CVE-2020-8911 and others related to AWS SDK

[eli-darkly]

LD has opened this issue to let everyone know that we're aware of these vulnerability reports, and we will release a patch version of our Docker image to address these as soon as possible:

• CVE-2020-8911, CVE-2020-8912
• GHSA-7f33-f4f5-xwgw, GHSA-f5pg-7wfw-84q9 (these appear to describe the same issues as the above)

It's our policy to make any necessary dependency/platform updates for such issues no matter what, but we also look into the details to determine how much of an actual risk these represent, if any, to Relay Proxy installations that are currently running. Here is our analysis:

• All of the above refer to a potential attack involving access to S3 buckets that have been encrypted via AWS SDK calls. The Relay Proxy does not use any of the AWS SDK APIs related to S3 or encryption; its use of the SDK is limited to basic DynamoDB operations. We do not see a way for these attacks to be reproduced using a Relay Proxy instance.

Addressing these warnings will require updating to the v2 AWS SDK in Relay Proxy as well as in the LaunchDarkly Go SDK's DynamoDB integration.

[eli-darkly]

Update: it may take a bit longer to fix this than we had hoped, because there is an indirect reference to the older AWS SDK in the old Google Cloud (a.k.a. Stackdriver) metrics integration package... which we can't get away from until we migrate from OpenCensus to OpenTelemetry for metrics. We had planned to do the latter anyway, but it's a bigger code change.

[eli-darkly]

Another update:

The OpenTelemetry work I mentioned above is still ongoing, and is probably for a 7.0.0 release rather than 6.x.

So, in order to be able to have clean security scans in 6.x, we're simply forking the problematic OpenCensus library and removing the AWS SDK v1 dependency from it (which wasn't actually being used). This change will be in a v6.7.14 patch release and should not affect any Relay Proxy functionality.

[eli-darkly]

Fixed in the 6.7.14 release.