Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency aws-cdk-lib to 2.177.0 [security] #2585

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency aws-cdk-lib to 2.177.0 [security] #2585

wants to merge 1 commit into from

Conversation

apalchys
Copy link
Member

This PR contains the following updates:

Package Change
aws-cdk-lib 2.110.0 -> 2.177.0

GitHub Vulnerability Alerts

CVE-2025-23206

Impact

Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34.

However, the current tls.connect method will always set rejectUnauthorized: false which is a potential security concern. CDK should follow the best practice and set rejectUnauthorized: true. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag.

Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack.

As a best practice, CDK should still fix this issue under a feature flag to avoid regression.

packages/@​aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
❯❱ problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS
verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized
to false bypasses verification against the list of trusted CAs, which also leads to insecure
transport.

Patches

The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22).
Once upgraded, please make sure the feature flag '@​aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in cdk.context.json or cdk.json. More details on feature flag setting is here.

Workarounds

N/A

References

https://github.com/aws/aws-cdk/issues/32920

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 30, 2025
edited
Loading

📦 Next.js Bundle Analysis

This analysis was generated by the next.js bundle analysis action 🤖

This PR introduced no changes to the javascript bundle 🙌

@apalchys apalchys force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from bf6c745 to eda4e00 Compare January 30, 2025 08:03
@apalchys apalchys force-pushed the renovate/npm-aws-cdk-lib-vulnerability branch from eda4e00 to c6462cc Compare February 1, 2025 00:08
@apalchys apalchys closed this Feb 2, 2025
@apalchys apalchys deleted the renovate/npm-aws-cdk-lib-vulnerability branch February 2, 2025 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@apalchys @renovate-bot