From c0cba5fbe2621af7f84d7c438db067f813c3ec5e Mon Sep 17 00:00:00 2001 From: Will Mooreston Date: Tue, 7 Jul 2026 16:35:09 -0700 Subject: [PATCH] Update Tomcat, HttpCore5, Jackson for OWASP CVE remediation Bump Tomcat 11.0.22 -> 11.0.23 (CVE-2026-53434 and CVE-2026-55276 CRITICAL, plus CVE-2026-53404, CVE-2026-55955, CVE-2026-55956, CVE-2026-50229), httpcore5 5.4.2 -> 5.4.3 with a new httpcore5-h2 force at the same version (CVE-2026-54399), and Jackson 2.21.4 -> 2.21.5 (CVE-2026-54515). These clear the corresponding OWASP Dependency Check findings on develop. Suppress two false positives: classic httpcore 4.x (CVE-2026-54399 is scoped to HttpComponents Core 5.x; the 4.x line is EOL and unaffected) and the Kotlin runtime jars (CVE-2026-53914 is a build-cache-metadata deserialization flaw in Kotlin build tooling, scored 6.7 MEDIUM by JetBrains, not applicable to the shipped stdlib/reflect jars). The Tomcat pin is intentionally held ahead of Spring Boot's managed Tomcat (SB 4.0.6 -> 11.0.21, 4.0.7 -> 11.0.22, both affected); comments updated so it is not synced back down. ActiveMQ is handled in a companion platform PR, and the two labkey-api-jdbc shaded httpcore5 findings are left until the labkey-api-java -> jdbc release chain lands. --- build.gradle | 2 ++ dependencyCheckSuppression.xml | 20 ++++++++++++++++++++ gradle.properties | 14 +++++++------- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index 1ffa4c81aa..2e1685cb79 100644 --- a/build.gradle +++ b/build.gradle @@ -246,6 +246,8 @@ allprojects { // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpcore:${httpcoreVersion}" force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}" + // httpcore5-h2 arrives transitively (not pinned before); force to the fixed version for CVE-2026-54399 + force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}" // force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr force "org.apache.httpcomponents:httpclient:${httpclientVersion}" force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}" diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 4b696b82a5..92db6ed994 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -437,5 +437,25 @@ ^pkg:maven/com\.networknt/json-schema-validator@.*$ CVE-2025-15104 + + + + ^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$ + CVE-2026-54399 + + + + + ^pkg:maven/org\.jetbrains\.kotlin/.*@.*$ + CVE-2026-53914 + diff --git a/gradle.properties b/gradle.properties index 696d65f97e..d1d3167cbf 100644 --- a/gradle.properties +++ b/gradle.properties @@ -96,8 +96,8 @@ apacheDirectoryVersion=2.1.7 #Transitive dependency of Apache directory apacheMinaVersion=2.2.7 -# Usually matches the version specified as a Spring Boot dependency (see springBootVersion below) -apacheTomcatVersion=11.0.22 +# Intentionally held ahead of the Tomcat version Spring Boot manages (SB 4.0.6 -> 11.0.21, 4.0.7 -> 11.0.22, both affected by CVE-2026-53434/-55276 et al.). Keep at 11.0.23+ until a Spring Boot release ships a patched Tomcat. (see springBootVersion below) +apacheTomcatVersion=11.0.23 # (mothership) -> json-path -> json-smart -> accessor-smart # (core) -> graalvm @@ -185,7 +185,7 @@ hamcrestVersion=2.2 htsjdkVersion=4.3.0 httpclient5Version=5.5.2 -httpcore5Version=5.4.2 +httpcore5Version=5.4.3 # Not used directly, but these are widely used transitive dependencies httpclientVersion=4.5.14 @@ -194,9 +194,9 @@ httpcoreVersion=4.4.16 intellijKotlinVersion=2.3.10 # Update the three Jackson dependency versions below in tandem, unless one gets a patch release out-of-sync with the others -jacksonVersion=2.21.4 -jacksonDatabindVersion=2.21.4 -jacksonJaxrsBaseVersion=2.21.4 +jacksonVersion=2.21.5 +jacksonDatabindVersion=2.21.5 +jacksonJaxrsBaseVersion=2.21.5 # Note the inconsistent version numbering for "annotations"... it no longer matches the above jacksonAnnotationsVersion=2.21 @@ -300,7 +300,7 @@ slf4jLog4jApiVersion=2.0.18 # This is a dependency for HTSJDK. Force version for CVE-2023-43642 snappyJavaVersion=1.1.10.8 -# Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version +# Note: apacheTomcatVersion above is intentionally held ahead of Spring Boot's managed Tomcat for CVE remediation (see the comment there) springBootVersion=4.0.6 # This usually matches the Spring Framework version dictated by springBootVersion springVersion=7.0.7