Bump shaded jackson, httpcore5-h2, netty, commons-configuration2, lz4 to address CVEs#1456
Merged
Merged
Conversation
…, commons-configuration2 Bumps four shaded dependencies that consumers can't override via Maven dependency management because they're shaded into the uber JAR: * jackson-core 2.18.6 -> 2.18.7 (SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551) * httpclient5/httpcore5/httpcore5-h2 5.3.1 -> 5.5.2 (CVE-2025-8671 in httpcore5-h2) * netty-buffer/netty-common 4.2.12.Final -> 4.2.13.Final (clears scanner reports for May 2026 codec-http/dns/mqtt CVE batch; the driver does not use any netty HTTP/codec components, so none of these are exploitable here) * commons-configuration2 2.10.1 -> 2.15.0 (CVE-2026-45205 YAML parsing uncontrolled recursion; the driver does not parse untrusted YAML) Also extracts a separate `httpcore5.version` property (5.3.6) because httpclient5 5.5.2 and httpcore5 are no longer published with the same version on the 5.5 release line. Verified by inspecting the uber jar after build: jackson-core 2.18.7, httpclient5 5.5.2, httpcore5 5.3.6, httpcore5-h2 5.3.6, netty-buffer 4.2.13.Final, netty-common 4.2.13.Final, commons-configuration2 2.15.0. Fixes #1436. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
The driver previously declared org.lz4:lz4-java:1.8.1. That coordinate is a relocation-only POM on Maven Central pointing at at.yawk.lz4:lz4-java:1.8.1, so the published databricks-jdbc-thin POM ended up transitively declaring at.yawk.lz4:lz4-java:1.8.1 for downstream consumers (and the uber jar shaded the same vulnerable jar). The upstream org.lz4 GA is no longer maintained; the at.yawk.lz4 fork is where the fix landed. CVE-2025-66566 is an information-leak in the safe/unsafe Java decompressors where output buffers can leak residual bytes from prior callers. Practical risk for this driver is low (we decompress trusted server-sent Arrow chunks into freshly-allocated streams, not reused buffers), but the published artifacts should not carry the vulnerable version. Verified the regenerated assembly-thin/dependency-reduced-pom.xml declares at.yawk.lz4:lz4-java:1.10.1, and the uber jar bundles the matching jar (META-INF/maven/at.yawk.lz4/lz4-java/pom.properties). DecompressionUtilTest still passes. Fixes #1455. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
vikrantpuppala
changed the title
gopalldb
approved these changes
May 20, 2026
This was referenced May 20, 2026
[Security] Upgrade Databricks JDBC Driver to resolve shaded jackson-core and httpcore5-h2 CVEs
#1436
Closed
gopalldb
pushed a commit
to gopalldb/databricks-jdbc
that referenced
this pull request
May 20, 2026
… to address CVEs (databricks#1456) ## Summary Bumps five shaded/published dependencies that consumers can't override via Maven dependency management — either because they're shaded into the uber JAR, or (for the lz4 case) because they're declared as flattened transitives in the published `databricks-jdbc-thin` POM. | Dependency | From | To | Reason | |---|---|---|---| | `jackson-core` | 2.18.6 | 2.18.7 | [SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551](https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551) — DoS via oversized JSON documents bypassing size limits | | `httpclient5` / `httpcore5` / `httpcore5-h2` | 5.3.1 | 5.5.2 / 5.3.6 | [CVE-2025-8671](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCORE5-15857052) — HTTP/2 stream-reset DoS in `httpcore5-h2` | | `netty-buffer` / `netty-common` | 4.2.12.Final | 4.2.13.Final | Clears the May 2026 netty codec CVE batch: [CVE-2026-33870](https://nvd.nist.gov/vuln/detail/CVE-2026-33870), [CVE-2026-33871](https://nvd.nist.gov/vuln/detail/CVE-2026-33871), [CVE-2026-42585](https://nvd.nist.gov/vuln/detail/CVE-2026-42585), [CVE-2026-42587](GHSA-f6hv-jmp6-3vwv), and others. All advisories target netty's HTTP/codec components, which the driver does not use (netty is only used as Arrow's off-heap buffer allocator) — but the bump silences the scanner false-positive CPE matches against `netty-buffer`/`netty-common`. | | `commons-configuration2` | 2.10.1 | 2.15.0 | [CVE-2026-45205](https://nvd.nist.gov/vuln/detail/CVE-2026-45205) — uncontrolled recursion when parsing untrusted YAML configs (the driver does not parse untrusted YAML; practical risk is negligible) | | `lz4-java` | `org.lz4:lz4-java:1.8.1` | `at.yawk.lz4:lz4-java:1.10.1` | [CVE-2025-66566](https://nvd.nist.gov/vuln/detail/CVE-2025-66566) — information leak via uncleared output buffers in safe/unsafe Java decompressors | Also extracts a separate `httpcore5.version` property because `httpclient5` 5.5.2 and `httpcore5` are no longer published in lockstep on the 5.5 line (httpclient5 5.5.2 transitively pulls httpcore5 5.3.6). Fixes databricks#1436. Fixes databricks#1455. Fixes databricks#1457. (Issue databricks#1423 — netty in 3.3.1 — was already fixed by the netty 4.2.6 → 4.2.12 bump in databricks#1347, shipped in 3.3.2. This PR additionally moves to 4.2.13.Final.) ### Notes on the lz4 bump `org.lz4:lz4-java:1.8.1` is a relocation-only POM that resolves to `at.yawk.lz4:lz4-java:1.8.1` (the upstream `org.lz4` GA is no longer maintained). Maven's relocation handling meant the **published `databricks-jdbc-thin` POM** declared `at.yawk.lz4:lz4-java:1.8.1` as a flat transitive — and the uber JAR shaded that same vulnerable jar. Bumping the groupId to `at.yawk.lz4` and the version to 1.10.1 (which has the fix for CVE-2025-66566) addresses both the thin and uber artifacts. Practical risk for this driver is low — `DecompressionUtil` decompresses trusted server-sent Arrow chunks into freshly-allocated streams, not reused buffers — but the published artifacts should not carry the vulnerable version. ### Note on databricks#1457's Arrow CVE-2024-52338 The Arrow finding in databricks#1457 ([CVE-2024-52338](https://nvd.nist.gov/vuln/detail/CVE-2024-52338)) is a CPE false positive and does not require an Arrow bump. The [Apache advisory](https://www.openwall.com/lists/oss-security/2024/11/28/3) explicitly states it covers only the Apache Arrow R package on CRAN (R 4.0.0 – 16.1.0, fixed in R 17.0.0). The driver ships Java Arrow 18.3.0, which is unaffected by both ecosystem (Java ≠ R) and version range. This will be silenced via an `owasp-suppressions.xml` entry in a separate follow-up PR (same precedent as the existing `CVE-2026-25087` suppression for Arrow C++ vs Java). ### Out of scope — follow-up * **libthrift 0.19.0 → 0.23.0**: required to clear the May 2026 libthrift CVE batch from scanner reports (most of those CVEs target Go/Node/C_glib/Rust bindings and don't affect Java usage, but scanners match by GA coordinates). Bump cannot be done in this PR because libthrift 0.21 changed the `ProcessFunction` generic signature, and the checked-in Thrift-generated Java code at `src/main/java/com/databricks/jdbc/model/client/thrift/generated/TCLIService.java` needs to be regenerated with the 0.23 compiler from `src/main/java/com/databricks/jdbc/dbclient/impl/thrift/TCLIService.thrift`. There is currently no codegen script or Maven plugin in the repo to do this — should be tracked separately and probably wired up as a `regenerate-thrift.sh` so it isn't lost in the future. * **protobuf-java 3.25.5 CVE-2026-0994**: Python-only (`google.protobuf.json_format.ParseDict()`); no Java fix exists and no action needed. * **grpc-api 1.71.0 CVE-2026-33186**: Go-only (gRPC-Go server authz bypass); grpc-java is unaffected. Follow-up suppression PR will silence this scanner false positive. * **OWASP scanner gap (CVE-2025-66566 in lz4 missed our weekly scan)**: dependency-check identifies `at.yawk.lz4:lz4-java@1.8.1` correctly but matches zero vulnerabilities against it because the `at.yawk.lz4` GA has no CPE in NVD. The OSS Index analyzer is configured in `jdbc-core/pom.xml` but no credentials are wired in `vulnerabilityCatcher.yml`, so it's effectively never enriching results. Recommend (a) wiring OSS Index creds or (b) adding a purl-based scanner (osv-scanner / dependency-track) to the weekly workflow as a backstop. ## Test plan - [x] `mvn clean install -DskipTests -Plocal` succeeds. - [x] `mvn -pl jdbc-core test -Plocal -Dgroups='!Jvm17PlusAndArrowToNioReflectionDisabled'` — **3288 tests, 0 failures, 0 errors**. - [x] `mvn -pl jdbc-core test -Plocal -Dtest='DecompressionUtilTest'` — passes (lz4 decompression). - [x] Verified the shaded uber JAR contains the expected versions via `unzip -p META-INF/maven/*/<artifact>/pom.properties`: - `jackson-core 2.18.7`, `jackson-databind 2.18.7` - `httpclient5 5.5.2`, `httpcore5 5.3.6`, `httpcore5-h2 5.3.6` - `netty-buffer 4.2.13.Final`, `netty-common 4.2.13.Final` - `commons-configuration2 2.15.0` - `at.yawk.lz4:lz4-java 1.10.1` - [x] Verified `assembly-thin/dependency-reduced-pom.xml` now declares `at.yawk.lz4:lz4-java:1.10.1` (was `at.yawk.lz4:lz4-java:1.8.1`). - [ ] Full PR CI: unit tests on all JDK matrix entries, integration tests, integration smoke against DBSQL. This pull request and its description were written by Isaac. --------- Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps five shaded/published dependencies that consumers can't override via Maven dependency management — either because they're shaded into the uber JAR, or (for the lz4 case) because they're declared as flattened transitives in the published
databricks-jdbc-thinPOM.jackson-corehttpclient5/httpcore5/httpcore5-h2httpcore5-h2netty-buffer/netty-commonnetty-buffer/netty-common.commons-configuration2lz4-javaorg.lz4:lz4-java:1.8.1at.yawk.lz4:lz4-java:1.10.1Also extracts a separate
httpcore5.versionproperty becausehttpclient55.5.2 andhttpcore5are no longer published in lockstep on the 5.5 line (httpclient5 5.5.2 transitively pulls httpcore5 5.3.6).Fixes #1436. Fixes #1455. Fixes #1457. (Issue #1423 — netty in 3.3.1 — was already fixed by the netty 4.2.6 → 4.2.12 bump in #1347, shipped in 3.3.2. This PR additionally moves to 4.2.13.Final.)
Notes on the lz4 bump
org.lz4:lz4-java:1.8.1is a relocation-only POM that resolves toat.yawk.lz4:lz4-java:1.8.1(the upstreamorg.lz4GA is no longer maintained). Maven's relocation handling meant the publisheddatabricks-jdbc-thinPOM declaredat.yawk.lz4:lz4-java:1.8.1as a flat transitive — and the uber JAR shaded that same vulnerable jar. Bumping the groupId toat.yawk.lz4and the version to 1.10.1 (which has the fix for CVE-2025-66566) addresses both the thin and uber artifacts.Practical risk for this driver is low —
DecompressionUtildecompresses trusted server-sent Arrow chunks into freshly-allocated streams, not reused buffers — but the published artifacts should not carry the vulnerable version.Note on #1457's Arrow CVE-2024-52338
The Arrow finding in #1457 (CVE-2024-52338) is a CPE false positive and does not require an Arrow bump. The Apache advisory explicitly states it covers only the Apache Arrow R package on CRAN (R 4.0.0 – 16.1.0, fixed in R 17.0.0). The driver ships Java Arrow 18.3.0, which is unaffected by both ecosystem (Java ≠ R) and version range. This will be silenced via an
owasp-suppressions.xmlentry in a separate follow-up PR (same precedent as the existingCVE-2026-25087suppression for Arrow C++ vs Java).Out of scope — follow-up
ProcessFunctiongeneric signature, and the checked-in Thrift-generated Java code atsrc/main/java/com/databricks/jdbc/model/client/thrift/generated/TCLIService.javaneeds to be regenerated with the 0.23 compiler fromsrc/main/java/com/databricks/jdbc/dbclient/impl/thrift/TCLIService.thrift. There is currently no codegen script or Maven plugin in the repo to do this — should be tracked separately and probably wired up as aregenerate-thrift.shso it isn't lost in the future.google.protobuf.json_format.ParseDict()); no Java fix exists and no action needed.at.yawk.lz4:lz4-java@1.8.1correctly but matches zero vulnerabilities against it because theat.yawk.lz4GA has no CPE in NVD. The OSS Index analyzer is configured injdbc-core/pom.xmlbut no credentials are wired invulnerabilityCatcher.yml, so it's effectively never enriching results. Recommend (a) wiring OSS Index creds or (b) adding a purl-based scanner (osv-scanner / dependency-track) to the weekly workflow as a backstop.Test plan
mvn clean install -DskipTests -Plocalsucceeds.mvn -pl jdbc-core test -Plocal -Dgroups='!Jvm17PlusAndArrowToNioReflectionDisabled'— 3288 tests, 0 failures, 0 errors.mvn -pl jdbc-core test -Plocal -Dtest='DecompressionUtilTest'— passes (lz4 decompression).unzip -p META-INF/maven/*/<artifact>/pom.properties:jackson-core 2.18.7,jackson-databind 2.18.7httpclient5 5.5.2,httpcore5 5.3.6,httpcore5-h2 5.3.6netty-buffer 4.2.13.Final,netty-common 4.2.13.Finalcommons-configuration2 2.15.0at.yawk.lz4:lz4-java 1.10.1assembly-thin/dependency-reduced-pom.xmlnow declaresat.yawk.lz4:lz4-java:1.10.1(wasat.yawk.lz4:lz4-java:1.8.1).This pull request and its description were written by Isaac.