Fix CVE-2025-48734, CVE-2024-13009 (#36106) (#36109)

liferoad · stankiewicz · web-flow · commit 3461a467804f · 2025-09-10T16:33:32.000-04:00
* update dependencies due to CVE-2024-13009 and CVE-2025-24970 * update dependency due to transitive dependency with CVE-2025-48734 * outstanding netty dependency. * fix netty's CVE-2025-55163 * Revert "fix netty's CVE-2025-55163" This reverts commit 874a77c. * revert netty Co-authored-by: Radosław Stankiewicz <radoslaws@google.com>
diff --git a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
@@ -617,7 +617,7 @@ class BeamModulePlugin implements Plugin<Project> {
     // [bomupgrader] determined by: io.grpc:grpc-netty, consistent with: google_cloud_platform_libraries_bom
     def grpc_version = "1.71.0"
     def guava_version = "33.1.0-jre"
-    def hadoop_version = "3.4.1"
+    def hadoop_version = "3.4.2"
     def hamcrest_version = "2.1"
     def influxdb_version = "2.19"
     def httpclient_version = "4.5.13"
diff --git a/runners/google-cloud-dataflow-java/worker/build.gradle b/runners/google-cloud-dataflow-java/worker/build.gradle
@@ -131,7 +131,7 @@ applyJavaNature(
             dependencies {
                 // We have to include jetty-server/jetty-servlet and all of its transitive dependencies
                 // which includes several org.eclipse.jetty artifacts + servlet-api
-                include(dependency("org.eclipse.jetty:.*:9.4.54.v20240208"))
+                include(dependency("org.eclipse.jetty:.*:9.4.57.v20241219"))
                 include(dependency("javax.servlet:javax.servlet-api:3.1.0"))
             }
             relocate("org.eclipse.jetty", getWorkerRelocatedPath("org.eclipse.jetty"))
@@ -200,8 +200,8 @@ dependencies {
     compileOnly "org.conscrypt:conscrypt-openjdk-uber:2.5.1"
 
     implementation "javax.servlet:javax.servlet-api:3.1.0"
-    implementation "org.eclipse.jetty:jetty-server:9.4.54.v20240208"
-    implementation "org.eclipse.jetty:jetty-servlet:9.4.54.v20240208"
+    implementation "org.eclipse.jetty:jetty-server:9.4.57.v20241219"
+    implementation "org.eclipse.jetty:jetty-servlet:9.4.57.v20241219"
     implementation library.java.avro
     implementation library.java.jackson_annotations
     implementation library.java.jackson_core
diff --git a/sdks/java/extensions/sql/hcatalog/build.gradle b/sdks/java/extensions/sql/hcatalog/build.gradle
@@ -26,7 +26,7 @@ applyJavaNature(
 )
 
 def hive_version = "3.1.3"
-def netty_version = "4.1.51.Final"
+def netty_version = "4.1.110.Final"
 
 /*
  * We need to rely on manually specifying these evaluationDependsOn to ensure that

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ applyJavaNature(`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`def hive_version = "3.1.3"`
`29`		`-def netty_version = "4.1.51.Final"`
	`29`	`+def netty_version = "4.1.110.Final"`
`30`	`30`
`31`	`31`	`/*`
`32`	`32`	`* We need to rely on manually specifying these evaluationDependsOn to ensure that`