CVE-2024-53990 - Upgrading async-http-client to 3.0.1

[jshah11]

Description

This change removed the current library from transitive dependency to the main dependency to ensure we address the security issues.

Motivation and Context

The AsyncHttpClient (AHC) library allows Java applications to execute HTTP requests and asynchronously process HTTP responses easily. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services with multiple users, this can result in one user's Cookie being used for another user's requests.
Issue Details: #24299

Impact

N/A

Test Plan

CI/CD

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Async Http Client library version upgrade
* Upgrade async-http-client library to 3.0.1 in response to `CVE-2024-53990 <https://www.cve.org/CVERecord?id=CVE-2024-53990>`_. :pr:`24313`

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: jshah11 / name: Jinal Shah (70bda20, cb94527, 96fa299, 2c77098, d0eed5e, ea3c2c7, 718c647)

[imjalpreet]

Is this the only transitive dependency for async-http-client?

[jshah11]

There was one more. I didn't realize the library was moved to a different group name. Removed that library as well

[jshah11]

I checked this by running the dependency:tree command.

[imjalpreet]

Thanks for the fix, please provide the dependency tree both before and after the change for review.

[jshah11]

Before Dependency Tree: https://drive.google.com/file/d/11J28lpasQX-y4H-WBWEsA6XptW3W9k-W/view?usp=sharing
After Dependency Tree: https://drive.google.com/file/d/1fJIXq-mD2qVxRx_M-WEgZTLgQjeCbJrf/view?usp=sharing

[infvg]

I have a few concerns.

1. The exclusions means that async-http-client is never truly upgraded - it's not brought in at all anymore.
2. async-http-client version 3.0.1 requires java 11 so a true upgrade is not possible at this time.

4. airlift resolver uses the com.ning version which has a different package within the code. In certain situations where the async module is used, this might cause issues. I've created a PR for resolver to rework the project so a switch will need to use this reworked resolver. Reworked to use maven resolver resolver#2
5. Upgrading the dependency in druid-processing requires a couple of minor changes & hopefully it will be included in the latest druid-processing version soon. Bump async-http-client to 3.0.1 apache/druid#17558

[steveburnett]

Suggest revising the release note to follow the Release Notes Guidelines.

== RELEASE NOTES ==

Security Changes 
* Upgrade async-http-client library to 3.0.1 in response to `CVE-2024-53990
 <https://www.cve.org/CVERecord?id=CVE-2024-53990>`_. :pr:`24313`

[jshah11]

@infvg , thanks for the feedback. Few questions:

1. For point 2, why do you say a true upgrade is not possible at this time? I understand we might need to bump the library version for which you have the PR out, is it just because of that or are there other reasons too?
2. For point 5, do we need to bump the version in the druid repo? If so, what was the motivation behind that?
3. Once both the diffs out there are landed, can I bump those versions and those upgrades to the right async library?