async-http-client Netty v4.1.60.Final vulnerabilities

[paoloboni]

Hi, If I read correctly the dependency tree, async-http-client-backend currently depends on async-http-client v2.12.3, which pulls netty-codec v4.1.60.Final, which according to Sonatype Lift is subject to the following vulnerabilities:

• [sonatype-2021-0789] CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• [CVE-2021-37136] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
• [CVE-2021-37137] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Those are high severity vulnerabilities that should be fixed in async-http-client, but it looks like it's no longer getting updated, at least in the last year or so.

[adamw]

I suppose since AHC is no longer maintained, we should depracte the client. And remove its usages from examples. What do you think, @Pask423 ?

[Pask423]

Great idea, but I would leave an example anyway - just in case.

[rafalambrozewicz]

I'm against leaving the examples because even if we would add a big, bold, shouting "IT'S DEPRECATED" note, a number of people would not notice it, starting using it thinking, that it is ok... but it is not ok. If magically AsyncHttpClient would be updated, we can always revert these changes. What do you think?

[zendesk-thomas-hammond]

Apologies for posting on a closed issue, but is there a recommended upgrade path to move off the deprecated module?

[adamw]

@zendesk-thomas-hammond yes, I'd recommend using HttpClient-based clients, they have minimal dependencies (as the jdk includes the base client) and work well