Tempo - Upgrade deps with github.com/aws/aws-sdk-go (v1) before end-of-support July 31, 2025 / fix CVE-2020-8911 + CVE-2020-8912 #4706
Description
Is your feature request related to a problem? Please describe.
Currently Tempo using GO dependencies and libraries, which are using/reference the version 1 of the AWS SDK for Go (github.com/aws/aws-sdk-go). AWS as maintainer of this AWS SDK for Go package announced the EOL of the version 1 for July 31, 2025. After this date, there are no critical bug fixes and no security issues provided. For details: https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/
It’s recommended to migrate to AWS SDK for Go v2 - https://github.com/aws/aws-sdk-go-v2/
Since Tempo is still indirectly using the EOL-version of AWS SDK for Go v1, it’s also affected be at least two security issues (which will never be fixed in version 1 codestream):
-
CVE-2020-8911: A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket.
-
CVE-2020-8912: A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR.
What would you like to be added:
I’d like to start the discussion and investigation for a step-by-step investigation and upgrade to AWS SDK for Go v2. I’m aware that is not an easy step. Furthermore, some dependency already using v2. It’s more like a “progress-tracking and discussion-ticket”. I assume in some cases, it’s a update of a dependency, in other cases, it might be necessary to address this v1 to v2 upgrade to other package maintainers.
In order to get an overview of the “areas” of affected Go dependencies for github.com/aws/aws-sdk-go, I ran the following command:
$ go mod graph | grep github.com/aws/aws-sdk-go | grep -v github.com/aws/aws-sdk-go-v2
github.com/grafana/tempo github.com/aws/aws-sdk-go@v1.55.6
github.com/aws/aws-sdk-go@v1.55.6 github.com/jmespath/go-jmespath@v0.4.0
github.com/grafana/dskit@v0.0.0-20250131191929-eab36484cec2 github.com/aws/aws-sdk-go@v1.44.321
github.com/jaegertracing/jaeger@v1.65.0 github.com/aws/aws-sdk-go@v1.55.5
github.com/open-telemetry/opentelemetry-collector-contrib/exporter/kafkaexporter@v0.118.0 github.com/aws/aws-sdk-go@v1.55.6
github.com/open-telemetry/opentelemetry-collector-contrib/internal/kafka@v0.118.0 github.com/aws/aws-sdk-go@v1.55.6
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/kafkareceiver@v0.118.0 github.com/aws/aws-sdk-go@v1.55.6
github.com/prometheus/alertmanager@v0.27.0 github.com/aws/aws-sdk-go@v1.50.8
github.com/prometheus/common/sigv4@v0.1.0 github.com/aws/aws-sdk-go@v1.38.35
github.com/prometheus/prometheus@v0.54.1 github.com/aws/aws-sdk-go@v1.54.19
github.com/aws/aws-sdk-go@v1.38.35 github.com/jmespath/go-jmespath@v0.4.0
github.com/aws/aws-sdk-go@v1.38.35 github.com/pkg/errors@v0.9.1
github.com/aws/aws-sdk-go@v1.38.35 golang.org/x/net@v0.0.0-20201110031124-69a78807bb2b
Describe the solution you'd like
To keep Tempo up-to-date and to track progress via PRs/linked issues for the migration to AWS SDK for Go v2 (by updating the dependencies). Overall: Security 😊