Bump shaded jackson, httpcore5-h2, netty, commons-configuration2, lz4 to address CVEs (#1456)

vikrantpuppala · web-flow · commit 7de2cf4569ac · 2026-05-20T12:26:00.000+05:30
## Summary Bumps five shaded/published dependencies that consumers can't override via Maven dependency management — either because they're shaded into the uber JAR, or (for the lz4 case) because they're declared as flattened transitives in the published `databricks-jdbc-thin` POM. | Dependency | From | To | Reason | |---|---|---|---| | `jackson-core` | 2.18.6 | 2.18.7 | [SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551) — DoS via oversized JSON documents bypassing size limits | | `httpclient5` / `httpcore5` / `httpcore5-h2` | 5.3.1 | 5.5.2 / 5.3.6 | [CVE-2025-8671](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052) — HTTP/2 stream-reset DoS in `httpcore5-h2` | | `netty-buffer` / `netty-common` | 4.2.12.Final | 4.2.13.Final | Clears the May 2026 netty codec CVE batch: [CVE-2026-33870](https://nvd.nist.gov/vuln/detail/CVE-2026-33870), [CVE-2026-33871](https://nvd.nist.gov/vuln/detail/CVE-2026-33871), [CVE-2026-42585](https://nvd.nist.gov/vuln/detail/CVE-2026-42585), [CVE-2026-42587](GHSA-f6hv-jmp6-3vwv), and others. All advisories target netty's HTTP/codec components, which the driver does not use (netty is only used as Arrow's off-heap buffer allocator) — but the bump silences the scanner false-positive CPE matches against `netty-buffer`/`netty-common`. | | `commons-configuration2` | 2.10.1 | 2.15.0 | [CVE-2026-45205](https://nvd.nist.gov/vuln/detail/CVE-2026-45205) — uncontrolled recursion when parsing untrusted YAML configs (the driver does not parse untrusted YAML; practical risk is negligible) | | `lz4-java` | `org.lz4:lz4-java:1.8.1` | `at.yawk.lz4:lz4-java:1.10.1` | [CVE-2025-66566](https://nvd.nist.gov/vuln/detail/CVE-2025-66566) — information leak via uncleared output buffers in safe/unsafe Java decompressors | Also extracts a separate `httpcore5.version` property because `httpclient5` 5.5.2 and `httpcore5` are no longer published in lockstep on the 5.5 line (httpclient5 5.5.2 transitively pulls httpcore5 5.3.6). Fixes #1436. Fixes #1455. Fixes #1457. (Issue #1423 — netty in 3.3.1 — was already fixed by the netty 4.2.6 → 4.2.12 bump in #1347, shipped in 3.3.2. This PR additionally moves to 4.2.13.Final.) ### Notes on the lz4 bump `org.lz4:lz4-java:1.8.1` is a relocation-only POM that resolves to `at.yawk.lz4:lz4-java:1.8.1` (the upstream `org.lz4` GA is no longer maintained). Maven's relocation handling meant the **published `databricks-jdbc-thin` POM** declared `at.yawk.lz4:lz4-java:1.8.1` as a flat transitive — and the uber JAR shaded that same vulnerable jar. Bumping the groupId to `at.yawk.lz4` and the version to 1.10.1 (which has the fix for CVE-2025-66566) addresses both the thin and uber artifacts. Practical risk for this driver is low — `DecompressionUtil` decompresses trusted server-sent Arrow chunks into freshly-allocated streams, not reused buffers — but the published artifacts should not carry the vulnerable version. ### Note on #1457's Arrow CVE-2024-52338 The Arrow finding in #1457 ([CVE-2024-52338](https://nvd.nist.gov/vuln/detail/CVE-2024-52338)) is a CPE false positive and does not require an Arrow bump. The [Apache advisory](https://www.openwall.com/lists/oss-security/2024/11/28/3) explicitly states it covers only the Apache Arrow R package on CRAN (R 4.0.0 – 16.1.0, fixed in R 17.0.0). The driver ships Java Arrow 18.3.0, which is unaffected by both ecosystem (Java ≠ R) and version range. This will be silenced via an `owasp-suppressions.xml` entry in a separate follow-up PR (same precedent as the existing `CVE-2026-25087` suppression for Arrow C++ vs Java). ### Out of scope — follow-up * **libthrift 0.19.0 → 0.23.0**: required to clear the May 2026 libthrift CVE batch from scanner reports (most of those CVEs target Go/Node/C_glib/Rust bindings and don't affect Java usage, but scanners match by GA coordinates). Bump cannot be done in this PR because libthrift 0.21 changed the `ProcessFunction` generic signature, and the checked-in Thrift-generated Java code at `src/main/java/com/databricks/jdbc/model/client/thrift/generated/TCLIService.java` needs to be regenerated with the 0.23 compiler from `src/main/java/com/databricks/jdbc/dbclient/impl/thrift/TCLIService.thrift`. There is currently no codegen script or Maven plugin in the repo to do this — should be tracked separately and probably wired up as a `regenerate-thrift.sh` so it isn't lost in the future. * **protobuf-java 3.25.5 CVE-2026-0994**: Python-only (`google.protobuf.json_format.ParseDict()`); no Java fix exists and no action needed. * **grpc-api 1.71.0 CVE-2026-33186**: Go-only (gRPC-Go server authz bypass); grpc-java is unaffected. Follow-up suppression PR will silence this scanner false positive. * **OWASP scanner gap (CVE-2025-66566 in lz4 missed our weekly scan)**: dependency-check identifies `at.yawk.lz4:lz4-java@1.8.1` correctly but matches zero vulnerabilities against it because the `at.yawk.lz4` GA has no CPE in NVD. The OSS Index analyzer is configured in `jdbc-core/pom.xml` but no credentials are wired in `vulnerabilityCatcher.yml`, so it's effectively never enriching results. Recommend (a) wiring OSS Index creds or (b) adding a purl-based scanner (osv-scanner / dependency-track) to the weekly workflow as a backstop. ## Test plan - [x] `mvn clean install -DskipTests -Plocal` succeeds. - [x] `mvn -pl jdbc-core test -Plocal -Dgroups='!Jvm17PlusAndArrowToNioReflectionDisabled'` — **3288 tests, 0 failures, 0 errors**. - [x] `mvn -pl jdbc-core test -Plocal -Dtest='DecompressionUtilTest'` — passes (lz4 decompression). - [x] Verified the shaded uber JAR contains the expected versions via `unzip -p META-INF/maven/*/<artifact>/pom.properties`: - `jackson-core 2.18.7`, `jackson-databind 2.18.7` - `httpclient5 5.5.2`, `httpcore5 5.3.6`, `httpcore5-h2 5.3.6` - `netty-buffer 4.2.13.Final`, `netty-common 4.2.13.Final` - `commons-configuration2 2.15.0` - `at.yawk.lz4:lz4-java 1.10.1` - [x] Verified `assembly-thin/dependency-reduced-pom.xml` now declares `at.yawk.lz4:lz4-java:1.10.1` (was `at.yawk.lz4:lz4-java:1.8.1`). - [ ] Full PR CI: unit tests on all JDK matrix entries, integration tests, integration smoke against DBSQL. This pull request and its description were written by Isaac. --------- Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -46,6 +46,11 @@ upgrading. These changes do not affect metadata on All-Purpose Clusters.
 - Server-side operations are now closed proactively when `ResultSet.close()` is called, improving resource utilization. The client-side Statement remains open and reusable for re-execution. As a result, `getExecutionResult()` after result consumption returns the cached ResultSet instead of making a server RPC.
 
 ### Fixed
+- Bump shaded `jackson-core` from 2.18.6 to 2.18.7 to address [SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551) (DoS via oversized JSON documents bypassing size limits). Fixes #1436.
+- Bump shaded `httpclient5`/`httpcore5`/`httpcore5-h2` from 5.3.1 to 5.5.2 to address [CVE-2025-8671](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052) (HTTP/2 stream-reset DoS in `httpcore5-h2`). Fixes #1436.
+- Bump shaded `netty-buffer`/`netty-common` from 4.2.12.Final to 4.2.13.Final to clear OWASP scanner reports for the May 2026 batch of netty codec CVEs (CVE-2026-42577/42579/42580/42581/42582/42583/42584/42585/42586/42587, CVE-2026-44248, CVE-2026-41417, CVE-2026-42578). The driver does not use any netty HTTP/codec components — these vulnerabilities are not exploitable in this usage — but the bump silences the false-positive CPE matches.
+- Bump shaded `commons-configuration2` from 2.10.1 to 2.15.0 to address [CVE-2026-45205](https://nvd.nist.gov/vuln/detail/CVE-2026-45205) (uncontrolled recursion when parsing untrusted YAML configurations). The driver does not parse untrusted YAML, so the practical risk is negligible.
+- Bump `lz4-java` from `org.lz4:lz4-java:1.8.1` to `at.yawk.lz4:lz4-java:1.10.1` to address [CVE-2025-66566](https://nvd.nist.gov/vuln/detail/CVE-2025-66566) (information leak via uncleared output buffers in the safe/unsafe Java decompressors). `org.lz4:lz4-java:1.8.1` is a relocation-only POM that resolves to `at.yawk.lz4:lz4-java:1.8.1`, so the published `databricks-jdbc-thin` artifact previously pulled the vulnerable fork transitively. The upstream `org.lz4` GA is no longer maintained; `at.yawk.lz4` is the fork that received the fix. Fixes #1455.
 - Fixed `DatabaseMetaData.getTables()` in Thrift mode returning rows when called with an empty `types` array. Per JDBC spec, empty types means "no types selected" and now correctly returns zero rows (matching SEA mode).
 - Fixed `?` characters inside SQL comments, string literals, and quoted identifiers being incorrectly counted as parameter placeholders when `supportManyParameters=1`. `SQLInterpolator` now uses `SqlCommentParser` to locate only real placeholders. Fixes #1331.
 - Fixed `MetadataOperationTimeout` not being applied when metadata operations use SHOW commands. Operations like `getTables`, `getSchemas`, and `getColumns` now respect the `MetadataOperationTimeout` connection property instead of hanging indefinitely with no timeout.
diff --git a/jdbc-core/pom.xml b/jdbc-core/pom.xml
@@ -171,7 +171,7 @@
       <scope>test</scope>
     </dependency>
     <dependency>
-      <groupId>org.lz4</groupId>
+      <groupId>at.yawk.lz4</groupId>
       <artifactId>lz4-java</artifactId>
       <version>${lz4-compression.version}</version>
     </dependency>
@@ -218,7 +218,7 @@
     <dependency>
       <groupId>org.apache.httpcomponents.core5</groupId>
       <artifactId>httpcore5</artifactId>
-      <version>${async-httpclient.version}</version>
+      <version>${httpcore5.version}</version>
     </dependency>
     <dependency>
       <groupId>io.github.resilience4j</groupId>
diff --git a/pom.xml b/pom.xml
@@ -66,21 +66,22 @@
     <databricks-jdbc-version>3.3.3</databricks-jdbc-version>
     <arrow.version>18.3.0</arrow.version>
     <commons-lang3.version>3.18.0</commons-lang3.version>
-    <commons-configuration.version>2.10.1</commons-configuration.version>
+    <commons-configuration.version>2.15.0</commons-configuration.version>
     <commons-io.version>2.14.0</commons-io.version>
     <databricks-sdk.version>0.69.0</databricks-sdk.version>
     <httpclient.version>4.5.14</httpclient.version>
-    <async-httpclient.version>5.3.1</async-httpclient.version>
+    <async-httpclient.version>5.5.2</async-httpclient.version>
+    <httpcore5.version>5.3.6</httpcore5.version>
     <thrift.version>0.19.0</thrift.version>
     <slf4j.version>2.0.13</slf4j.version>
-    <jackson.version>2.18.6</jackson.version>
+    <jackson.version>2.18.7</jackson.version>
     <gson.version>2.13.2</gson.version>
     <google.guava.version>33.0.0-jre</google.guava.version>
     <google.findbugs.annotations.version>3.0.1</google.findbugs.annotations.version>
     <immutables.value.version>2.9.2</immutables.value.version>
-    <lz4-compression.version>1.8.1</lz4-compression.version>
+    <lz4-compression.version>1.10.1</lz4-compression.version>
     <annotation.version>1.3.5</annotation.version>
-    <netty.version>4.2.12.Final</netty.version>
+    <netty.version>4.2.13.Final</netty.version>
     <grpc.version>1.71.0</grpc.version>
     <jts-core.version>1.20.0</jts-core.version>
     <resilience4j.version>1.7.0</resilience4j.version>
