Vulnerable shared libraries might make 180protocol vulnerable. Can you help upgrade to patch versions?

[HelenParr]

Hi, @parthbond180 , @hiteshvpatel256 , I'd like to report a vulnerability issue in com.protocol180:protocol-aggregator-workflows:0.1.4.

Issue Description

com.protocol180:protocol-aggregator-workflows:0.1.4 directly or transitively depends on 4 C libraries (.so). However, I noticed that one C libraries is vulnerable, containing the following CVEs:
libcrypto.so from C project openssl(version:1.1.1) exposed 9 vulnerabilities:
CVE-2021-3711, CVE-2021-3712, CVE-2019-1549, CVE-2019-1543, CVE-2018-0735, CVE-2020-7043, CVE-2020-7042, CVE-2020-7041, CVE-2019-1552

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Helen Perr

[shukpa]

Hi,

Thanks for raising this issue.

Openssl is being used by Conclave (version 1.2.1) toolkit for signing the hardware enclave with an RSA key. As of now, com.protocol180:protocol-aggregator-workflows:0.1.4 has a dependency on Conclave 1.2.1 to build the enclave for both release & simulation mode.

As you mention on the issue, openssl version greater than 1.1.1 will resolve the vulnerabilities, so we are also hoping for upgrades of openssl version from R3 Conclave in their next release.