Tempo - Upgrade deps with github.com/aws/aws-sdk-go (v1) before end-of-support July 31, 2025 / fix CVE-2020-8911 + CVE-2020-8912 #4706
Labels
Comments
|
For the "non-grafana namespaces" of packages, here the prometheus-related (alertmanager, prometheus, sigv4) issues for migration from v1 to v2: |
|
For the most part this seems straightforward. I'm most concerned about the changes to the credential providers. There's so many different auth methods in AWS and we don't have the capacity to verify that we interact with them all exactly the same before and after the upgrade. https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/migrate-gosdk.html I also dislike the "functional options pattern", but that's personal preference I suppose :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently Tempo using GO dependencies and libraries, which are using/reference the version 1 of the AWS SDK for Go (github.com/aws/aws-sdk-go). AWS as maintainer of this AWS SDK for Go package announced the EOL of the version 1 for July 31, 2025. After this date, there are no critical bug fixes and no security issues provided. For details: https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/
It’s recommended to migrate to AWS SDK for Go v2 - https://github.com/aws/aws-sdk-go-v2/
Since Tempo is still indirectly using the EOL-version of AWS SDK for Go v1, it’s also affected be at least two security issues (which will never be fixed in version 1 codestream):
CVE-2020-8911: A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket.
CVE-2020-8912: A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR.
What would you like to be added:
I’d like to start the discussion and investigation for a step-by-step investigation and upgrade to AWS SDK for Go v2. I’m aware that is not an easy step. Furthermore, some dependency already using v2. It’s more like a “progress-tracking and discussion-ticket”. I assume in some cases, it’s a update of a dependency, in other cases, it might be necessary to address this v1 to v2 upgrade to other package maintainers.
In order to get an overview of the “areas” of affected Go dependencies for
github.com/aws/aws-sdk-go, I ran the following command:Describe the solution you'd like
To keep Tempo up-to-date and to track progress via PRs/linked issues for the migration to AWS SDK for Go v2 (by updating the dependencies). Overall: Security 😊
The text was updated successfully, but these errors were encountered: