Drop AWS SDK for Go v1 and upgrade to v2 before EOL/end-of-support at July 31, 2025 / fix CVE-2020-8911 + CVE-2020-8912 - Alloy #2936
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Request
Currently Alloy using GO dependencies and libraries, which are using/reference the version 1 of the AWS SDK for Go (github.com/aws/aws-sdk-go). AWS as maintainer of this AWS SDK for Go package announced the EOL of the version 1 for July 31, 2025. After this date, there are no critical bug fixes and no security issues provided. For details: https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/
It’s recommended to migrate to AWS SDK for Go v2 - https://github.com/aws/aws-sdk-go-v2/
Since Alloy is still indirectly using the EOL-version of AWS SDK for Go v1, it’s also affected be at least two security issues (which will never be fixed in version 1 codestream):
CVE-2020-8911: A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket.
CVE-2020-8912: A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR.
Use case
I’d like to start the joint discussion for a step-by-step investigation and upgrade to AWS SDK for Go v2 for Alloy. I’m aware that is not an easy step. Furthermore, some dependency already using v2. It’s more like a "progress-tracking and discussion-ticket". I assume in some cases, it’s a update of a dependency, in other cases, it might be necessary to address this v1 to v2 upgrade to other package maintainers - See lists below!
In order to get an overview of the "areas" of affected Go dependencies for , I’ve used deptree to identify
github.com/aws/aws-sdk-goreferences (in total 28x times based on main from 09.03.2025):Issues/project with v1 reference in go.mod files (+ currently open issues, so there is no update of this module in Alloy possible yet):
github.com/mongodb/mongo-tools)Updated go.mod files found - There should be a update for package (via PR):
github.com/go-kit/kit/ Drop AWS SDK for Go v1 and upgrade to v2 before EOL/end-of-support at July 31, 2025 go-kit/kit#1303github.com/hashicorp/go-discovergithub.com/influxdata/telegrafgithub.com/nerdswords/yet-another-cloudwatch-exporter//github.com/prometheus-community/yet-another-cloudwatch-exportergithub.com/hashicorp/go-secure-stdlib/awsutilgithub.com/percona/percona-backup-mongodbThe text was updated successfully, but these errors were encountered: