Play-Services Guava Vulnerability

[hammond-mike-ao]

Issue

There are currently a couple vulnerabilities (CVE-2023-2976, CVE-2020-8908) stemming from the play-services-measurement-api:23.0.0 dependency used in the com.google.firebase:firebase-analytics:23.0.0 library due to an outdated version of Guava being used. Are there any plans to update this Play Services library to use a newer version of Guava to resolve the vulnerability? If not, are there any concerns with clients overriding the version of Guava used?

Affected Dependencies:

play-services-measurement-api:23.0.0
play-services-measurement-impl:23.0.0

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[lehcar09]

Hi @hammond-mike-ao, thank you for reaching out. I don't have the visibility on the release roadmap. I'll raise this to our engineers for an update.

By default, Gradle uses the highest version of the declared dependency. The play-services-measurement-api and play-services-measurement-impl were built and tested on the guava:31.1 version and I can't guarantee that there won’t be any concern when you override the Guava version. For instance, there might be APIs that have been removed in the newer guava version.

[lehcar09]

Hi @hammond-mike-ao, sorry for the silence here, I've raised this to our engineers, and according to them, theplay-services-measurement-api and play-services-measurement-impl are dependencies of Google Analytics for Firebase, however, the GA4F doesn't use FileBackedOutputStream (CVE-2023-2976) or createTempDir (CVE-2020-8908) so those vulnerabilities does not apply to us.

As for the Guava dependency update, as of the moment, there are no immediate plans to update the version. While we are unable to promise any timeline for this, we'll definitely keep this under our radar.

I'll close this issue for now. Let us know if there's any misunderstanding or issues so we can re-open the ticket. Thanks!