[BUG]Vulnerable shared libraries might make azure-communication-calling vulnerable. Can you help upgrade to patch versions?

[HelenParr]

Hi, @anuchandy , @vcolin7, I'd like to report a vulnerability issue in com.azure.android:azure-communication-calling:2.1.0-beta.1.

Issue Description

com.azure.android:azure-communication-calling:2.1.0-beta.1 directly or transitively depends on 23 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

llibskypert.so from C project openssl(version:1.1.1i) exposed 2 vulnerabilities:
CVE-2021-3711, CVE-2021-3712
libxeengine.so from C project libpng(version:1.6.16) exposed 4 vulnerabilities:
CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, following call chains can reach the vulnerable method(C code) EC_GROUP_new_from_ecparameters() in file crypto/ec/ec_asn1.c reported by CVE-2021-3712.

call chains-----
TS_CONF_set_certs()->TS_CONF_load_certs()->PEM_X509_INFO_read_bio()->d2i_ECPrivateKey()->EC_GROUP_new_from_ecpkparameters()->EC_GROUP_new_from_ecparameters()

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l
libpng has fixed the vulnerabilities in versions >=1.6.37

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,
Helen Parr

[vcolin7]

Hi @HelenParr, thank you for bringing this to our attention. Could you take a look @jsaurezlee-msft? Thanks :)

[github-actions]

Hi @HelenParr, we deeply appreciate your input into this project. Regrettably, this issue has remained inactive for over 2 years, leading us to the decision to close it. We've implemented this policy to maintain the relevance of our issue queue and facilitate easier navigation for new contributors. If you still believe this topic requires attention, please feel free to create a new issue, referencing this one. Thank you for your understanding and ongoing support.