Resolving google-oauth and jetty-io vulnerability

[KarthikaPKumar]

Description

Identified security vulnerability issues of severity high from jetty-io-9.4.14.v20181114.jar 1.31.2.jar and resolved the same.
Excluded the transitive dependency of jetty-io occuring from parent packages that does not break the build or impact the functionality but removes the said exploitable.

Identified security vulnerability issue of severity high from google-oauth-client-1.31.2.jar and resolved the same.
Excluded the transitive dependency of google-oauth-client occuring from parent package google-cloud-bigquerystorage that does not break the build or impact the functionality but resolves the said exploitable.

Motivation and Context

Group id: org.eclipse.jetty
Artifact : jetty-io
Issue for version : jetty-io-9.4.14.v20181114.jar

Group id: com.google.oauth-client
Artifact : google-oauth-client
Issue for version : google-oauth-client-1.31.2.

Direct vulnerabilities:

CVE-2021-28165
CVE-2021-22573

Impact

Eclipse Jetty is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage.

Google APIs google-oauth-java-client could allow a remote attacker to bypass security restrictions, caused by no PKCE support implemented. By executing a specially-crafted application, an attacker could exploit this vulnerability to obtain the authorization code, and gain authorization to the protected resource.

Test Plan

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==


Security Changes
Resolving Aquasec scan CVE detected

[steveburnett]

Thanks for this! Please add a release note entry following the example in Phrasing in the Release Note Guidelines. Here's a draft I wrote for you to consider, please revise it if the draft does not accurately describe your work.

== RELEASE NOTES ==

Security Changes
* Remove jetty-io in response to `CVE-2021-28165 <https://nvd.nist.gov/vuln/detail/cve-2021-28165>`_. :pr:`24120`
* Remove google-oauth-client in response to `CVE-2021-22573 <https://github.com/advisories/GHSA-hw42-3568-wj87>`_. :pr:`24120`